[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - sw/source

Stephan Bergmann sbergman at redhat.com
Tue Aug 25 00:46:53 PDT 2015


 sw/source/filter/ww8/ww8graf.cxx |    6 ++-
 sw/source/filter/ww8/ww8scan.cxx |   73 +++++++++++++++++++++++++--------------
 sw/source/filter/ww8/ww8scan.hxx |    2 -
 3 files changed, 52 insertions(+), 29 deletions(-)

New commits:
commit 1f3162c473c43a87b261fce83a69e44085394f45
Author: Stephan Bergmann <sbergman at redhat.com>
Date:   Mon Aug 24 19:21:48 2015 +0200

    Handle GetBaseCp overflow
    
    ...as found by UBSan in CppunitTest_sw_filters_test (see below); note the TODOs
    how best to report the errors up the call stack.
    
    > Testing file:///.../sw/qa/core/data/ww6/pass/crash-3.doc:
    > sw/source/filter/ww8/ww8scan.cxx:5240:63: runtime error: signed integer overflow: 1766665948 + 1768712052 cannot be represented in type 'int'
    >  WW8Fib::GetBaseCp(ManTypes) const sw/source/filter/ww8/ww8scan.cxx:5240:63
    >  SwWW8ImplReader::Read_GrafLayer(long) sw/source/filter/ww8/ww8graf.cxx:2393:18
    >  SwWW8ImplReader::ReadChar(long, long) sw/source/filter/ww8/ww8par.cxx:3630:17
    >  SwWW8ImplReader::ReadChars(int&, int, long, long) sw/source/filter/ww8/ww8par.cxx:3432:27
    >  SwWW8ImplReader::ReadText(int, int, ManTypes) sw/source/filter/ww8/ww8par.cxx:3970:22
    >  SwWW8ImplReader::CoreLoad(WW8Glossary*, SwPosition const&) sw/source/filter/ww8/ww8par.cxx:5169:9
    >  SwWW8ImplReader::LoadThroughDecryption(SwPaM&, WW8Glossary*) sw/source/filter/ww8/ww8par.cxx:5767:19
    >  SwWW8ImplReader::LoadDoc(SwPaM&, WW8Glossary*) sw/source/filter/ww8/ww8par.cxx:6039:19
    >  WW8Reader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) sw/source/filter/ww8/ww8par.cxx:6157:20
    >  SwReader::Read(Reader const&) sw/source/filter/basflt/shellio.cxx:175:18
    >  SwDocShell::ConvertFrom(SfxMedium&) sw/source/uibase/app/docsh.cxx:258:22
    >  SfxObjectShell::DoLoad(SfxMedium*) sfx2/source/doc/objstor.cxx:790:23
    >  SwFiltersTest::filter(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) sw/qa/core/filters-test.cxx:112:20
    >  SwFiltersTest::load(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) sw/qa/core/filters-test.cxx:71:12
    >  test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) unotest/source/cpp/filters-test.cxx:129:20
    >  test::FiltersTest::testDir(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) unotest/source/cpp/filters-test.cxx:154:5
    >  SwFiltersTest::testCVEs() sw/qa/core/filters-test.cxx:154:5
    
    Change-Id: I0b14f5c1e025565eb131e64590b7d5ff0135e767
    Reviewed-on: https://gerrit.libreoffice.org/17965
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit d281b4607638231b8a3716bdc80846c24ce55cc7)
    Reviewed-on: https://gerrit.libreoffice.org/17969
    Reviewed-by: David Tardon <dtardon at redhat.com>
    Tested-by: David Tardon <dtardon at redhat.com>

diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx
index 6d5ee95..d3156f3 100644
--- a/sw/source/filter/ww8/ww8graf.cxx
+++ b/sw/source/filter/ww8/ww8graf.cxx
@@ -867,7 +867,8 @@ bool SwWW8ImplReader::GetTxbxTextSttEndCp(WW8_CP& rStartCp, WW8_CP& rEndCp,
 // den um -2 (bzw. -1 bei Ver8) korrigierten End-Cp zurueck
 sal_Int32 SwWW8ImplReader::GetRangeAsDrawingString(OUString& rString, long nStartCp, long nEndCp, ManTypes eType)
 {
-    WW8_CP nOffset = m_pWwFib->GetBaseCp(eType);
+    WW8_CP nOffset = 0;
+    m_pWwFib->GetBaseCp(eType, &nOffset); //TODO: check return value
 
     OSL_ENSURE(nStartCp <= nEndCp, "+Wo ist der Grafik-Text (7) ?");
     if (nStartCp == nEndCp)
@@ -2390,7 +2391,8 @@ SwFrameFormat* SwWW8ImplReader::Read_GrafLayer( long nGrafAnchorCp )
 
     ::SetProgressState(m_nProgress, m_pDocShell);     // Update
 
-    m_nDrawCpO = m_pWwFib->GetBaseCp(m_pPlcxMan->GetManType() == MAN_HDFT ? MAN_TXBX_HDFT : MAN_TXBX);
+    m_nDrawCpO = 0;
+    m_pWwFib->GetBaseCp(m_pPlcxMan->GetManType() == MAN_HDFT ? MAN_TXBX_HDFT : MAN_TXBX, &m_nDrawCpO); //TODO: check return value
 
     GrafikCtor();
 
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 312abf4..1f7f526 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -4595,7 +4595,9 @@ WW8PLCFMan::WW8PLCFMan(WW8ScannerBase* pBase, ManTypes nType, long nStartCp,
             break;
     }
 
-    nCpO = pWwFib->GetBaseCp(nType);
+    WW8_CP cp = 0;
+    pWwFib->GetBaseCp(nType, &cp); //TODO: check return value
+    nCpO = cp;
 
     if( nStartCp || nCpO )
         SeekPos( nStartCp );    // PLCFe auf Text-StartPos einstellen
@@ -5235,46 +5237,65 @@ namespace
     }
 }
 
-WW8_CP WW8Fib::GetBaseCp(ManTypes nType) const
+bool WW8Fib::GetBaseCp(ManTypes nType, WW8_CP * cp) const
 {
+    assert(cp != nullptr);
     WW8_CP nOffset = 0;
 
     switch( nType )
     {
         default:
-        case MAN_MAINTEXT:
-            break;
-        case MAN_FTN:
-            nOffset = ccpText;
-            break;
-        case MAN_HDFT:
-            nOffset = ccpText + ccpFootnote;
-            break;
+        case MAN_TXBX_HDFT:
+            nOffset = ccpTxbx;
+            // fall through
+        case MAN_TXBX:
+            if (ccpEdn > std::numeric_limits<WW8_CP>::max() - nOffset) {
+                return false;
+            }
+            nOffset += ccpEdn;
+            // fall through
+        case MAN_EDN:
+            if (ccpAtn > std::numeric_limits<WW8_CP>::max() - nOffset) {
+                return false;
+            }
+            nOffset += ccpAtn;
+            // fall through
+        case MAN_AND:
+            if (ccpMcr > std::numeric_limits<WW8_CP>::max() - nOffset) {
+                return false;
+            }
+            nOffset += ccpMcr;
         /*
+            // fall through
+
          A subdocument of this kind (MAN_MACRO) probably exists in some defunct
          version of MSWord, but now ccpMcr is always 0. If some example that
          uses this comes to light, this is the likely calculation required
 
         case MAN_MACRO:
-            nOffset = ccpText + ccpFootnote + ccpHdr;
-            break;
-
         */
-        case MAN_AND:
-            nOffset = ccpText + ccpFootnote + ccpHdr + ccpMcr;
-            break;
-        case MAN_EDN:
-            nOffset = ccpText + ccpFootnote + ccpHdr + ccpMcr + ccpAtn;
-            break;
-        case MAN_TXBX:
-            nOffset = ccpText + ccpFootnote + ccpHdr + ccpMcr + ccpAtn + ccpEdn;
-            break;
-        case MAN_TXBX_HDFT:
-            nOffset = ccpText + ccpFootnote + ccpHdr + ccpMcr + ccpAtn + ccpEdn +
-                ccpTxbx;
+            if (ccpHdr > std::numeric_limits<WW8_CP>::max() - nOffset) {
+                return false;
+            }
+            nOffset += ccpHdr;
+            // fall through
+        case MAN_HDFT:
+            if (ccpFootnote > std::numeric_limits<WW8_CP>::max() - nOffset) {
+                return false;
+            }
+            nOffset += ccpFootnote;
+            // fall through
+        case MAN_FTN:
+            if (ccpText > std::numeric_limits<WW8_CP>::max() - nOffset) {
+                return false;
+            }
+            nOffset += ccpText;
+            // fall through
+        case MAN_MAINTEXT:
             break;
     }
-    return nOffset;
+    *cp = nOffset;
+    return true;
 }
 
 ww::WordVersion WW8Fib::GetFIBVersion() const
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index 9b258af..1d0b210 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -1456,7 +1456,7 @@ public:
     bool Write(SvStream& rStrm);
     static rtl_TextEncoding GetFIBCharset(sal_uInt16 chs, sal_uInt16 nLidLocale);
     ww::WordVersion GetFIBVersion() const;
-    WW8_CP GetBaseCp(ManTypes nType) const;
+    bool GetBaseCp(ManTypes nType, WW8_CP * cp) const;
     sal_Unicode getNumDecimalSep() const { return nNumDecimalSep;}
 };
 


More information about the Libreoffice-commits mailing list