[Libreoffice-commits] core.git: sw/source

Caolán McNamara caolanm at redhat.com
Mon Apr 3 19:43:01 UTC 2017 

 sw/source/filter/ww8/ww8par.hxx   |    2 +-
 sw/source/filter/ww8/ww8par2.cxx  |   29 ++++++++++++++++++++++++-----
 sw/source/filter/ww8/ww8struc.hxx |    2 +-
 3 files changed, 26 insertions(+), 7 deletions(-)

New commits:
commit 3feabd87ad8066b45b55d61cd72684e47fd79082
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Apr 3 20:36:06 2017 +0100

    ofz: check anlv text bounds
    
    Change-Id: I6288aae2d439cde6a2b95c005a2090f73e21bb7a

diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 69a90a6dcbc5..85f090ffa515 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1537,7 +1537,7 @@ private:
 // the corresponding structures are: LSTF, LVLF, LFO LFOLVL
 
     void SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV, const sal_uInt8* pText,
-        bool bOutline);
+        size_t nStart, size_t nElements, bool bOutline);
     void SetAnld(SwNumRule* pNumR, WW8_ANLD const * pAD, sal_uInt8 nSwLevel, bool bOutLine);
     void SetNumOlst( SwNumRule* pNumR, WW8_OLST* pO, sal_uInt8 nSwLevel );
     SwNumRule* GetStyRule();
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index a3888a2192f3..4687920445d3 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -678,8 +678,14 @@ static void SetBaseAnlv(SwNumFormat &rNum, WW8_ANLV const &rAV, sal_uInt8 nSwLev
 }
 
 void SwWW8ImplReader::SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV,
-    const sal_uInt8* pText, bool bOutline)
+    const sal_uInt8* pText, size_t nStart, size_t nElements, bool bOutline)
 {
+    if (nStart > nElements)
+        return;
+
+    pText += nStart;
+    nElements -= nStart;
+
     bool bInsert = false;                       // Default
     rtl_TextEncoding eCharSet = m_eStructCharSet;
 
@@ -687,13 +693,26 @@ void SwWW8ImplReader::SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV,
     bool bListSymbol = pF && ( pF->chs == 2 );      // Symbol/WingDings/...
 
     OUString sText;
+    sal_uInt32 nLen = rAV.cbTextBefore + rAV.cbTextAfter;
     if (m_bVer67)
     {
-        sText = OUString(reinterpret_cast<char const *>(pText), rAV.cbTextBefore + rAV.cbTextAfter, eCharSet);
+        if (nLen > nElements)
+        {
+            SAL_WARN("sw.ww8", "SetAnlvStrings: ignoring out of range "
+                << nLen << " vs " << nElements << " max");
+            return;
+        }
+        sText = OUString(reinterpret_cast<char const *>(pText), nLen, eCharSet);
     }
     else
     {
-        for(sal_Int32 i = 0; i < rAV.cbTextBefore + rAV.cbTextAfter; ++i, pText += 2)
+        if (nLen > nElements / 2)
+        {
+            SAL_WARN("sw.ww8", "SetAnlvStrings: ignoring out of range "
+                << nLen << " vs " << nElements / 2 << " max");
+            return;
+        }
+        for(sal_uInt32 i = 0; i < nLen; ++i, pText += 2)
         {
             sText += OUStringLiteral1(SVBT16ToShort(*reinterpret_cast<SVBT16 const *>(pText)));
         }
@@ -778,7 +797,7 @@ void SwWW8ImplReader::SetAnld(SwNumRule* pNumR, WW8_ANLD const * pAD, sal_uInt8
         m_bAktAND_fNumberAcross = 0 != pAD->fNumberAcross;
         WW8_ANLV const &rAV = pAD->eAnlv;
         SetBaseAnlv(aNF, rAV, nSwLevel);                    // set the base format
-        SetAnlvStrings(aNF, rAV, pAD->rgchAnld, bOutLine ); // set the rest
+        SetAnlvStrings(aNF, rAV, pAD->rgchAnld, 0, SAL_N_ELEMENTS(pAD->rgchAnld), bOutLine); // set the rest
     }
     pNumR->Set(nSwLevel, aNF);
 }
@@ -908,7 +927,7 @@ void SwWW8ImplReader::SetNumOlst(SwNumRule* pNumR, WW8_OLST* pO, sal_uInt8 nSwLe
 
     if (!m_bVer67)
         nTextOfs *= 2;
-    SetAnlvStrings(aNF, rAV, pO->rgch + nTextOfs, true); // and apply
+    SetAnlvStrings(aNF, rAV, pO->rgch, nTextOfs, SAL_N_ELEMENTS(pO->rgch), true); // and apply
     pNumR->Set(nSwLevel, aNF);
 }
 
diff --git a/sw/source/filter/ww8/ww8struc.hxx b/sw/source/filter/ww8/ww8struc.hxx
index 097391dde1e2..ba7768caac0b 100644
--- a/sw/source/filter/ww8/ww8struc.hxx
+++ b/sw/source/filter/ww8/ww8struc.hxx
@@ -649,7 +649,7 @@ struct WW8_ANLD
     sal_uInt8 fNumberAcross;    // 0x11     number across cells in table rows(instead of down)
     sal_uInt8 fRestartHdn;  // 0x12     restart heading number on section boundary
     sal_uInt8 fSpareX;      // 0x13     unused( should be 0)
-    sal_uInt8  rgchAnld[32]; // 0x14 characters displayed before/after autonumber
+    sal_uInt8 rgchAnld[32]; // 0x14 characters displayed before/after autonumber
 };
 
 struct WW8_OLST

More information about the Libreoffice-commits mailing list