[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - sd/qa sd/source
Caolán McNamara
caolanm at redhat.com
Fri Aug 28 04:25:21 PDT 2015
sd/qa/unit/data/ppt/pass/hang-18.ppt |binary
sd/source/filter/ppt/propread.cxx | 27 ++++++++++++++++++++-------
2 files changed, 20 insertions(+), 7 deletions(-)
New commits:
commit 0591e1bae3963277240848851158bf82d3be3911
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Aug 28 09:15:04 2015 +0100
clip strings to max available size
(cherry picked from commit 580d3837b26f09ed02fe3583de40fa045a3fde0f)
Change-Id: Icc1378c9c27b9b6d229bcffc6a63017f82be70d4
Reviewed-on: https://gerrit.libreoffice.org/18101
Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
Tested-by: Michael Meeks <michael.meeks at collabora.com>
diff --git a/sd/qa/unit/data/ppt/pass/hang-18.ppt b/sd/qa/unit/data/ppt/pass/hang-18.ppt
new file mode 100644
index 0000000..3b3e9f7
Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/hang-18.ppt differ
diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index 20e59df..1e71044 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -73,7 +73,7 @@ static sal_Int32 lcl_getMaxSafeStrLen(sal_uInt32 nSize)
bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign )
{
- sal_uInt32 i, nItemSize, nType, nItemPos;
+ sal_uInt32 nType, nItemPos;
bool bRetValue = false;
nItemPos = Tell();
@@ -86,8 +86,8 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign )
else
nType = nStringType & VT_TYPEMASK;
- nItemSize = 0; // Initialize in case stream fails.
- ReadUInt32( nItemSize );
+ sal_uInt32 nItemSize(0); // Initialize in case stream fails.
+ ReadUInt32(nItemSize);
switch( nType )
{
@@ -95,6 +95,12 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign )
{
if ( nItemSize )
{
+ auto nMaxSizePossible = remainingSize();
+ if (nItemSize > nMaxSizePossible)
+ {
+ SAL_WARN("sd.filter", "String of Len " << nItemSize << " claimed, only " << nMaxSizePossible << " possible");
+ nItemSize = nMaxSizePossible;
+ }
try
{
sal_Char* pString = new sal_Char[ nItemSize ];
@@ -103,8 +109,8 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign )
nItemSize >>= 1;
if ( nItemSize > 1 )
{
- sal_Unicode* pWString = (sal_Unicode*)pString;
- for ( i = 0; i < nItemSize; i++ )
+ sal_Unicode* pWString = reinterpret_cast<sal_Unicode*>(pString);
+ for (sal_uInt32 i = 0; i < nItemSize; ++i)
ReadUInt16( pWString[ i ] );
rString = OUString(pWString, lcl_getMaxSafeStrLen(nItemSize));
}
@@ -140,12 +146,19 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign )
{
if ( nItemSize )
{
+ auto nMaxSizePossible = remainingSize() / sizeof(sal_Unicode);
+ if (nItemSize > nMaxSizePossible)
+ {
+ SAL_WARN("sd.filter", "String of Len " << nItemSize << " claimed, only " << nMaxSizePossible << " possible");
+ nItemSize = nMaxSizePossible;
+ }
+
try
{
sal_Unicode* pString = new sal_Unicode[ nItemSize ];
- for ( i = 0; i < nItemSize; i++ )
+ for (sal_uInt32 i = 0; i < nItemSize; ++i)
ReadUInt16( pString[ i ] );
- if ( pString[ i - 1 ] == 0 )
+ if ( pString[ nItemSize - 1 ] == 0 )
{
if ( (sal_uInt16)nItemSize > 1 )
rString = OUString(pString, lcl_getMaxSafeStrLen(nItemSize));
More information about the Libreoffice-commits
mailing list