[Libreoffice-commits] core.git: sw/source
Caolán McNamara
caolanm at redhat.com
Tue Sep 26 19:21:43 UTC 2017
sw/source/filter/ww8/ww8par2.cxx | 6 ++++--
sw/source/filter/ww8/ww8par5.cxx | 4 ++--
sw/source/filter/ww8/ww8scan.cxx | 27 +++++++++++++++++++++------
3 files changed, 27 insertions(+), 10 deletions(-)
New commits:
commit 2e36b1e03bee33ceded5e80d045efba5cd1c5063
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Sep 26 12:40:27 2017 +0100
ofz various timeouts in ww8fuzzer
Change-Id: Id633b031d2856dab49bbedc6faf45670a3762c51
Reviewed-on: https://gerrit.libreoffice.org/42801
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index f9891290d0aa..bad09a202b80 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -4005,7 +4005,8 @@ void WW8RStyle::Import1Style( sal_uInt16 nNr )
if ( !xStd || sName.isEmpty() || ((1 != xStd->sgc) && (2 != xStd->sgc)) )
{
- pStStrm->SeekRel( nSkip );
+ nSkip = std::min<sal_uInt64>(nSkip, pStStrm->remainingSize());
+ pStStrm->Seek(pStStrm->Tell() + nSkip);
return;
}
@@ -4100,7 +4101,8 @@ void WW8RStyle::ScanStyles() // investigate style dependencies
rSI = SwWW8StyInf();
xStd.reset();
- pStStrm->SeekRel( nSkip ); // skip Names and Sprms
+ nSkip = std::min<sal_uInt64>(nSkip, pStStrm->remainingSize());
+ pStStrm->Seek(pStStrm->Tell() + nSkip); // skip Names and Sprms
}
}
diff --git a/sw/source/filter/ww8/ww8par5.cxx b/sw/source/filter/ww8/ww8par5.cxx
index 0acc43804034..14ea2963bab9 100644
--- a/sw/source/filter/ww8/ww8par5.cxx
+++ b/sw/source/filter/ww8/ww8par5.cxx
@@ -961,7 +961,7 @@ long SwWW8ImplReader::Read_Field(WW8PLCFManResult* pRes)
}
else
{ // read field
- long nOldPos = m_pStrm->Tell();
+ auto nOldPos = m_pStrm->Tell();
OUString aStr;
if ( aF.nId == 6 && aF.bCodeNest )
{
@@ -983,7 +983,7 @@ long SwWW8ImplReader::Read_Field(WW8PLCFManResult* pRes)
}
eF_ResT eRes = (this->*aWW8FieldTab[aF.nId])( &aF, aStr );
- m_pStrm->Seek( nOldPos );
+ m_pStrm->Seek(nOldPos);
switch ( eRes )
{
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index a9825a5c3fe2..e45e1bdffa6a 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1541,7 +1541,10 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
m_aPieceGrpprls.push_back(p); // add to array
}
else
- pStr->SeekRel( nLen ); // non-Grpprl left
+ {
+ nLen = std::min<sal_uInt64>(nLen, pStr->remainingSize());
+ pStr->Seek(pStr->Tell() + nLen); // non-Grpprl left
+ }
}
// read Piece Table PLCF
@@ -1845,6 +1848,12 @@ static bool WW8GetFieldPara(WW8PLCFspecial& rPLCF, WW8FieldDesc& rF)
rF.nLen = rF.nSRes - rF.nSCode + 2; // total length
}
+ if (rF.nLen < 0)
+ {
+ rF.nLen = 0;
+ goto Err;
+ }
+
rPLCF.advance();
if((static_cast<sal_uInt8*>(pData)[0] & 0x1f ) == 0x15 )
{
@@ -6583,7 +6592,7 @@ WW8_STD* WW8Style::Read1STDFixed(sal_uInt16& rSkip)
WW8_STD* pStd = nullptr;
sal_uInt16 cbStd(0);
- rSt.ReadUInt16( cbStd ); // read length
+ rSt.ReadUInt16(cbStd); // read length
const sal_uInt16 nRead = cbSTDBaseInFile;
if( cbStd >= cbSTDBaseInFile )
@@ -6628,14 +6637,20 @@ WW8_STD* WW8Style::Read1STDFixed(sal_uInt16& rSkip)
pStd->fAutoRedef = a16Bit & 0x0001 ;
pStd->fHidden = ( a16Bit & 0x0002 ) >> 1;
// You never know: cautionary skipped
- if( 10 < nRead )
- rSt.SeekRel( nRead-10 );
+ if (nRead > 10)
+ {
+ auto nSkip = std::min<sal_uInt64>(nRead - 10, rSt.remainingSize());
+ rSt.Seek(rSt.Tell() + nSkip);
+ }
}
while( false ); // trick: the block above will passed through exactly one time
// and can be left early with a "break"
- if( (ERRCODE_NONE != rSt.GetError()) || !nRead )
- DELETEZ( pStd ); // report error with NULL
+ if (!rSt.good() || !nRead)
+ {
+ delete pStd;
+ pStd = nullptr; // report error with NULL
+ }
rSkip = cbStd - cbSTDBaseInFile;
}
More information about the Libreoffice-commits
mailing list