[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - sw/qa sw/source

Wed Sep 2 08:50:40 PDT 2015

sw/qa/core/data/ww8/pass/hang-6.doc |binary
 sw/source/filter/ww8/ww8par.cxx     |   22 +++++++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

New commits:
commit 2284ada74ac0dd66b4f5e3e811a85fc6c458d13a
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Aug 31 13:21:19 2015 +0100

    check for ridiculous lengths and check stream status
    
    Change-Id: Iefe943794e005f03b2a6ea5fc642b8c3d21b3334
    (cherry picked from commit 858257d465b7e7ce54819cc2f631efcb20632863)
    Reviewed-on: https://gerrit.libreoffice.org/18174
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
    Tested-by: Miklos Vajna <vmiklos at collabora.co.uk>

diff --git a/sw/qa/core/data/ww8/pass/hang-6.doc b/sw/qa/core/data/ww8/pass/hang-6.doc
new file mode 100644
index 0000000..48293c5
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/hang-6.doc differ
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 2b0170b..ad69a1f 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -677,16 +677,22 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                                              SEEK_FROM_CURRENT_AND_RESTART )
             && maShapeRecords.Current()->nRecLen )
         {
-            sal_uInt32  nBytesLeft = maShapeRecords.Current()->nRecLen;
-            sal_uInt32  nUDData;
-            sal_uInt16  nPID;
+            sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen;
+            auto nAvailableBytes = rSt.remainingSize();
+            if (nBytesLeft > nAvailableBytes)
+            {
+                SAL_WARN("sw.ww8", "Document claimed to have shape record of " << nBytesLeft << " bytes, but only " << nAvailableBytes << " available");
+                nBytesLeft = nAvailableBytes;
+            }
             while( 5 < nBytesLeft )
             {
-                rSt.ReadUInt16( nPID );
-                if ( rSt.GetError() != 0 )
+                sal_uInt16 nPID(0);
+                rSt.ReadUInt16(nPID);
+                sal_uInt32 nUDData(0);
+                rSt.ReadUInt32(nUDData);
+                if (!rSt.good())
                     break;
-                rSt.ReadUInt32( nUDData );
-                switch( nPID )
+                switch (nPID)
                 {
                     case 0x038F: pImpRec->nXAlign = nUDData; break;
                     case 0x0390:
@@ -714,8 +720,6 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                         pImpRec->isHorizontalRule = true;
                         break;
                 }
-                if ( rSt.GetError() != 0 )
-                    break;
                 nBytesLeft  -= 6;
             }
         }
