[Libreoffice-commits] core.git: sw/source
Caolán McNamara
caolanm at redhat.com
Tue Sep 26 19:26:49 UTC 2017
sw/source/filter/ww8/ww8scan.cxx | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
New commits:
commit 8db706e3239cda41f8a5e956a48eed47d6bd200e
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Aug 28 12:13:41 2017 +0100
ofz#3154 check bounds of special sprm
Change-Id: I82566e2f2ad479c392f06ae7149e3781c0338e50
Reviewed-on: https://gerrit.libreoffice.org/41630
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 984d05ef990b..41d027e8f6e9 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -7961,8 +7961,17 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm,
}
break;
case 0xD608:
- nL = SVBT16ToShort( &pSprm[1 + mnDelta] );
+ {
+ sal_uInt8 nIndex = 1 + mnDelta;
+ if (nIndex + 1 >= nRemLen)
+ {
+ SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
+ nL = 0;
+ }
+ else
+ nL = SVBT16ToShort(&pSprm[nIndex]);
break;
+ }
default:
switch (aSprm.nVari)
{
More information about the Libreoffice-commits
mailing list