[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - sw/source

[Caolán McNamara]

 sw/source/filter/ww8/ww8par6.cxx |   13 +++++++------
 sw/source/filter/ww8/ww8scan.cxx |    9 ++++++++-
 2 files changed, 15 insertions(+), 7 deletions(-)

New commits:
commit f3c4dd743c026d9e987656d0abd4979df6f11b30
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Tue Nov 28 10:55:39 2017 +0000

    ofz: check sprm bounds
    
    and don't reuse results of previous search
    
    Change-Id: I15d55aba260377f2f43627d775adf1a01370ae3e
    Reviewed-on: https://gerrit.libreoffice.org/45407
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    Tested-by: Jenkins <ci at libreoffice.org>

diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx
index f6bf8446ecbc..3678807b542f 100644
--- a/sw/source/filter/ww8/ww8par6.cxx
+++ b/sw/source/filter/ww8/ww8par6.cxx
@@ -1266,24 +1266,25 @@ static sal_uInt8 lcl_ReadBorders(bool bVer67, WW8_BRCVer9* brc, WW8PLCFx_Cp_FKP*
     {
         if( !bVer67 )
         {
-            SprmResult aSprm[4];
-
+            SprmResult a8Sprm[4];
             if (pSep->Find4Sprms(
                     NS_sprm::sprmSBrcTop80, NS_sprm::sprmSBrcLeft80,
                     NS_sprm::sprmSBrcBottom80, NS_sprm::sprmSBrcRight80,
-                    aSprm[0], aSprm[1], aSprm[2], aSprm[3]))
+                    a8Sprm[0], a8Sprm[1], a8Sprm[2], a8Sprm[3]))
             {
                 for( int i = 0; i < 4; ++i )
-                    nBorder |= int(SetWW8_BRC(8, brc[i], aSprm[i].pSprm, aSprm[i].nRemainingData))<<i;
+                    nBorder |= int(SetWW8_BRC(8, brc[i], a8Sprm[i].pSprm, a8Sprm[i].nRemainingData))<<i;
             }
+
             // Version 9 BRCs if present will override version 8
+            SprmResult a9Sprm[4];
             if (pSep->Find4Sprms(
                     NS_sprm::sprmSBrcTop, NS_sprm::sprmSBrcLeft,
                     NS_sprm::sprmSBrcBottom, NS_sprm::sprmSBrcRight,
-                    aSprm[0], aSprm[1], aSprm[2], aSprm[3]))
+                    a9Sprm[0], a9Sprm[1], a9Sprm[2], a9Sprm[3]))
             {
                 for( int i = 0; i < 4; ++i )
-                    nBorder |= int(SetWW8_BRC(9, brc[i], aSprm[i].pSprm, aSprm[i].nRemainingData))<<i;
+                    nBorder |= int(SetWW8_BRC(9, brc[i], a9Sprm[i].pSprm, a9Sprm[i].nRemainingData))<<i;
             }
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 4991e63fb6f5..a92a61efb8f0 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3724,7 +3724,14 @@ bool WW8PLCFx_SEPX::Find4Sprms(sal_uInt16 nId1,sal_uInt16 nId2,sal_uInt16 nId3,s
     {
         // Sprm found?
         const sal_uInt16 nAktId = maSprmParser.GetSprmId(pSp);
-        const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp, nSprmSiz - i);
+        sal_Int32 nRemLen = nSprmSiz - i;
+        const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp, nRemLen);
+        bool bValid = x <= nRemLen;
+        if (!bValid)
+        {
+            SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
+            break;
+        }
         bool bOk = true;
         if( nAktId  == nId1 )
         {