[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - sw/qa sw/source

Tue Sep 1 08:28:32 PDT 2015

sw/qa/core/data/ww8/pass/hang-6.doc |binary
 sw/source/filter/ww8/ww8par.cxx     |   22 +++++++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

New commits:
commit 315cd7896e8b4193fe1b13a2d58d97446f9d1d87
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Aug 31 13:21:19 2015 +0100

    check for ridiculous lengths and check stream status
    
    Change-Id: Iefe943794e005f03b2a6ea5fc642b8c3d21b3334
    (cherry picked from commit 858257d465b7e7ce54819cc2f631efcb20632863)
    Reviewed-on: https://gerrit.libreoffice.org/18173
    Reviewed-by: Jan Holesovsky <kendy at collabora.com>
    Tested-by: Jan Holesovsky <kendy at collabora.com>

diff --git a/sw/qa/core/data/ww8/pass/hang-6.doc b/sw/qa/core/data/ww8/pass/hang-6.doc
new file mode 100644
index 0000000..48293c5
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/hang-6.doc differ
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 84b65d5..4a352dd 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -678,16 +678,22 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                                              SEEK_FROM_CURRENT_AND_RESTART )
             && maShapeRecords.Current()->nRecLen )
         {
-            sal_uInt32  nBytesLeft = maShapeRecords.Current()->nRecLen;
-            sal_uInt32  nUDData;
-            sal_uInt16  nPID;
+            sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen;
+            auto nAvailableBytes = rSt.remainingSize();
+            if (nBytesLeft > nAvailableBytes)
+            {
+                SAL_WARN("sw.ww8", "Document claimed to have shape record of " << nBytesLeft << " bytes, but only " << nAvailableBytes << " available");
+                nBytesLeft = nAvailableBytes;
+            }
             while( 5 < nBytesLeft )
             {
-                rSt.ReadUInt16( nPID );
-                if ( rSt.GetError() != 0 )
+                sal_uInt16 nPID(0);
+                rSt.ReadUInt16(nPID);
+                sal_uInt32 nUDData(0);
+                rSt.ReadUInt32(nUDData);
+                if (!rSt.good())
                     break;
-                rSt.ReadUInt32( nUDData );
-                switch( nPID )
+                switch (nPID)
                 {
                     case 0x038F: pImpRec->nXAlign = nUDData; break;
                     case 0x0390:
@@ -715,8 +721,6 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                         pImpRec->isHorizontalRule = true;
                         break;
                 }
-                if ( rSt.GetError() != 0 )
-                    break;
                 nBytesLeft  -= 6;
             }
         }
