[Libreoffice-commits] core.git: sw/source

Mon Oct 30 10:18:04 UTC 2017

sw/source/filter/ww8/ww8scan.cxx |   32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

New commits:
commit baefc8a1d7f01fb4717db72854abc06649335397
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Sun Oct 29 20:30:29 2017 +0000

    ofz#3896 Integer-overflow
    
    Change-Id: Ib7d3c8bd1a5db9f6b35e928743a701a9a95403ca
    Reviewed-on: https://gerrit.libreoffice.org/44031
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index e2a2a87f9daa..3f5d39c8f3c8 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3346,8 +3346,33 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
                         bIsUnicode);
                 }
 
-                nLimitFC = nBeginLimitFC +
-                    (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1);
+                WW8_CP nCpLen;
+                bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen);
+                if (bFail)
+                {
+                    SAL_WARN("sw.ww8", "broken offset, ignoring");
+                    pPieceIter->SetIdx(nOldPos);
+                    return;
+                }
+
+                if (bIsUnicode)
+                {
+                    bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen);
+                    if (bFail)
+                    {
+                        SAL_WARN("sw.ww8", "broken offset, ignoring");
+                        pPieceIter->SetIdx(nOldPos);
+                        return;
+                    }
+                }
+
+                bFail = o3tl::checked_add(nBeginLimitFC, nCpLen, nLimitFC);
+                if (bFail)
+                {
+                    SAL_WARN("sw.ww8", "broken offset, ignoring");
+                    pPieceIter->SetIdx(nOldPos);
+                    return;
+                }
 
                 if (nOldEndPos <= nLimitFC)
                 {
@@ -3398,8 +3423,7 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
                                     nFcStart,bIsUnicode );
                             }
 
-                            WW8_CP nCpLen;
-                            bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen);
+                            bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen);
                             if (bFail)
                             {
                                 SAL_WARN("sw.ww8", "broken offset, ignoring");
