[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - sc/source

Eike Rathke erack at redhat.com
Fri Nov 17 09:10:55 UTC 2017 

 sc/source/filter/inc/formel.hxx |   30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

New commits:
commit 6ba9b72cff5a761f36b2b9b892b572bc7cb5ae18
Author: Eike Rathke <erack at redhat.com>
Date:   Fri Nov 10 10:52:19 2017 +0100

    ofz#4123 do not read past end of file
    
    Change-Id: I1fa3543d541ea084a43a1a11f62680fa798f5647
    (cherry picked from commit 78bcc5ddca186f0009124a697184f332405d3e1e)
    Reviewed-on: https://gerrit.libreoffice.org/44586
    Tested-by: Eike Rathke <erack at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sc/source/filter/inc/formel.hxx b/sc/source/filter/inc/formel.hxx
index 433ba0809a94..aa7944161439 100644
--- a/sc/source/filter/inc/formel.hxx
+++ b/sc/source/filter/inc/formel.hxx
@@ -143,31 +143,51 @@ inline void LotusConverterBase::Ignore( const long nSeekRel )
 inline void LotusConverterBase::Read( sal_uInt8& nByte )
 {
     aIn.ReadUChar( nByte );
-    nBytesLeft--;
+    if (aIn.good())
+        nBytesLeft--;
+    else
+    {
+        // SvStream::ReadUChar() does not init a single char on failure. This
+        // behaviour is even tested in a unit test.
+        nByte = 0;
+        nBytesLeft = -1;    // bail out early
+    }
 }
 
 inline void LotusConverterBase::Read( sal_uInt16& nUINT16 )
 {
     aIn.ReadUInt16( nUINT16 );
-    nBytesLeft -= 2;
+    if (aIn.good())
+        nBytesLeft -= 2;
+    else
+        nBytesLeft = -1;    // bail out early
 }
 
 inline void LotusConverterBase::Read( sal_Int16& nINT16 )
 {
     aIn.ReadInt16( nINT16 );
-    nBytesLeft -= 2;
+    if (aIn.good())
+        nBytesLeft -= 2;
+    else
+        nBytesLeft = -1;    // bail out early
 }
 
 inline void LotusConverterBase::Read( double& fDouble )
 {
     aIn.ReadDouble( fDouble );
-    nBytesLeft -= 8;
+    if (aIn.good())
+        nBytesLeft -= 8;
+    else
+        nBytesLeft = -1;    // bail out early
 }
 
 inline void LotusConverterBase::Read( sal_uInt32& nUINT32 )
 {
     aIn.ReadUInt32( nUINT32 );
-    nBytesLeft -= 4;
+    if (aIn.good())
+        nBytesLeft -= 4;
+    else
+        nBytesLeft = -1;    // bail out early
 }
 
 #endif

More information about the Libreoffice-commits mailing list