[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - sw/source

Caolán McNamara caolanm at redhat.com
Wed Nov 22 14:24:51 UTC 2017 

 sw/source/filter/ww8/ww8par.hxx  |    2 +-
 sw/source/filter/ww8/ww8par2.cxx |   39 ++++++++++++++++++++++++---------------
 sw/source/filter/ww8/ww8par6.cxx |    2 +-
 3 files changed, 26 insertions(+), 17 deletions(-)

New commits:
commit a9ed411b4ad92cab9a9642e55a0dae06b039a748
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Nov 20 12:37:35 2017 +0000

    ofz#4335 verify sprmTDefTable length
    
    Change-Id: I846099f98c24ef1b53f070962c7a218e3a7e35b9
    Reviewed-on: https://gerrit.libreoffice.org/44962
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>

diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 31425907dc6d..9f6b1fef2c22 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1033,7 +1033,7 @@ struct WW8TabBandDesc
     WW8TabBandDesc(WW8TabBandDesc& rBand);    // deep copy
     ~WW8TabBandDesc();
     static void setcelldefaults(WW8_TCell *pCells, short nCells);
-    void ReadDef(bool bVer67, const sal_uInt8* pS);
+    void ReadDef(bool bVer67, const sal_uInt8* pS, short nLen);
     void ProcessDirection(const sal_uInt8* pParams);
     void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC);
     void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 6ce9e4e5b161..b65b763b73b1 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1226,27 +1226,35 @@ WW8TabBandDesc::WW8TabBandDesc( WW8TabBandDesc& rBand )
 }
 
 // ReadDef reads the cell position and the borders of a band
-void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS)
+void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS, short nLen)
 {
     if (!bVer67)
+    {
+        //the ww8 version of this is unusual in masquerading as a a srpm with a
+        //single byte len arg while it really has a word len arg, after this
+        //increment nLen is correct to describe the remaining amount of data
         pS++;
+    }
 
-    short nLen = (sal_Int16)SVBT16ToShort( pS - 2 ); // not beautiful
-
+    --nLen; //reduce len by expected nCols arg
+    if (nLen < 0)
+        return;
     sal_uInt8 nCols = *pS;                       // number of cells
-    short nOldCols = nWwCols;
 
-    if( nCols > MAX_COL )
+    if (nCols > MAX_COL)
         return;
 
+    short nOldCols = nWwCols;
     nWwCols = nCols;
 
+    nLen -= 2 * (nCols + 1); //reduce len by claimed amount of next x-borders arguments
+    if (nLen < 0)
+        return;
+
     const sal_uInt8* pT = &pS[1];
-    nLen --;
-    int i;
-    for(i=0; i<=nCols; i++, pT+=2 )
+    for (int i = 0; i <= nCols; i++, pT+=2)
         nCenter[i] = (sal_Int16)SVBT16ToShort( pT );    // X-borders
-    nLen -= 2 * ( nCols + 1 );
+
     if( nCols != nOldCols ) // different column count
     {
         delete[] pTCs;
@@ -1266,11 +1274,9 @@ void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS)
         setcelldefaults(pTCs,nCols);
     }
 
-    short nColsToRead = nFileCols;
-    if (nColsToRead > nCols)
-        nColsToRead = nCols;
+    short nColsToRead = std::min<short>(nFileCols, nCols);
 
-    if( nColsToRead )
+    if (nColsToRead > 0)
     {
         // read TCs
 
@@ -1286,7 +1292,7 @@ void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS)
         if( bVer67 )
         {
             WW8_TCellVer6 const * pTc = reinterpret_cast<WW8_TCellVer6 const *>(pT);
-            for(i=0; i<nColsToRead; i++, ++pAktTC,++pTc)
+            for (int i = 0; i < nColsToRead; i++, ++pAktTC,++pTc)
             {
                 if( i < nColsToRead )
                 {               // TC from file ?
@@ -1920,6 +1926,9 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
             while (aSprmIter.GetSprms() && nullptr != (pParams = aSprmIter.GetAktParams()))
             {
                 sal_uInt16 nId = aSprmIter.GetAktId();
+                sal_uInt16 nFixedLen = aSprmParser.DistanceToData(nId);
+                sal_uInt16 nL = aSprmParser.GetSprmSize(nId, aSprmIter.GetSprms(), aSprmIter.GetRemLen());
+                sal_uInt16 nLen = nL - nFixedLen;
                 wwTableSprm eSprm = GetTableSprm(nId, m_pIo->GetFib().GetFIBVersion());
                 switch (eSprm)
                 {
@@ -1966,7 +1975,7 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
                         m_bClaimLineFormat = true;
                         break;
                     case sprmTDefTable:
-                        pNewBand->ReadDef(bOldVer, pParams);
+                        pNewBand->ReadDef(bOldVer, pParams, nLen);
                         bTabRowJustRead = true;
                         break;
                     case sprmTDefTableShd:
diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx
index b8362e6983c0..81efda11a8e2 100644
--- a/sw/source/filter/ww8/ww8par6.cxx
+++ b/sw/source/filter/ww8/ww8par6.cxx
@@ -5109,7 +5109,7 @@ bool SwWW8ImplReader::ParseTabPos(WW8_TablePos *pTabPos, WW8PLCFx_Cp_FKP* pPap)
     if (nullptr != aRes.pSprm)
     {
         WW8TabBandDesc aDesc;
-        aDesc.ReadDef(false, aRes.pSprm);
+        aDesc.ReadDef(false, aRes.pSprm, aRes.nRemainingData);
         int nTableWidth = aDesc.nCenter[aDesc.nWwCols] - aDesc.nCenter[0];
         int nTextAreaWidth = m_aSectionManager.GetTextAreaWidth();
         // If the table is wider than the text area, then don't create a fly

More information about the Libreoffice-commits mailing list