[Libreoffice-commits] core.git: Branch 'aoo/trunk' - filter/inc filter/source
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Sat Aug 18 00:09:19 UTC 2018
filter/inc/filter/msfilter/dffpropset.hxx | 1 +
filter/source/msfilter/dffpropset.cxx | 16 +++++++++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
New commits:
commit 59b105338323266f87e2bca4944ae59de00db0d3
Author: Don Lewis <truckman at apache.org>
AuthorDate: Fri Aug 17 22:24:27 2018 +0000
Commit: Don Lewis <truckman at apache.org>
CommitDate: Fri Aug 17 22:24:27 2018 +0000
When importing a Microsoft Office Drawing Binary File Format data stream,
ignore properties with the bComplex flag set indicating they have data
external to the property record if the indicated size of the data is
larger than will fit in the containing property table record.
DffPropSet::GetPropertyString() should return an empty string if
the bComplex flag is not set since there is no data to return.
Bail out of the loop that processes the array of properties early if
we hit the end of the property table record.
Limit the length of the property table record to the remaining size of
the stream.
diff --git a/filter/inc/filter/msfilter/dffpropset.hxx b/filter/inc/filter/msfilter/dffpropset.hxx
index c1535a82da25..196946c4410a 100644
--- a/filter/inc/filter/msfilter/dffpropset.hxx
+++ b/filter/inc/filter/msfilter/dffpropset.hxx
@@ -61,6 +61,7 @@ class MSFILTER_DLLPUBLIC DffPropSet
~DffPropSet();
inline sal_Bool IsProperty( sal_uInt32 nRecType ) const { return ( mpPropSetEntries[ nRecType & 0x3ff ].aFlags.bSet ); };
+ inline sal_Bool IsComplex( sal_uInt32 nRecType ) const { return ( mpPropSetEntries[ nRecType & 0x3ff ].aFlags.bComplex ); };
sal_Bool IsHardAttribute( sal_uInt32 nId ) const;
sal_uInt32 GetPropertyValue( sal_uInt32 nId, sal_uInt32 nDefault = 0 ) const;
/** Returns a boolean property by its real identifier. */
diff --git a/filter/source/msfilter/dffpropset.cxx b/filter/source/msfilter/dffpropset.cxx
index e6b786dd093f..1b29f2b21e1c 100644
--- a/filter/source/msfilter/dffpropset.cxx
+++ b/filter/source/msfilter/dffpropset.cxx
@@ -1099,7 +1099,11 @@ DffPropSet::~DffPropSet()
void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly )
{
DffRecordHeader aHd;
+ sal_Size nEndOfStream, nEndOfRecord;
rIn >> aHd;
+ nEndOfStream = rIn.Seek(STREAM_SEEK_TO_END);
+ aHd.SeekToContent( rIn );
+ nEndOfRecord = Min(aHd.GetRecEndFilePos(), nEndOfStream);
if ( !bSetUninitializedOnly )
{
@@ -1116,6 +1120,8 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly )
{
sal_uInt16 nTmp;
sal_uInt32 nRecType, nContent;
+ if (nEndOfRecord - rIn.Tell() < 6)
+ break;
rIn >> nTmp
>> nContent;
@@ -1157,7 +1163,7 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly )
aPropFlag.bBlip = sal_True;
if ( nTmp & 0x8000 )
aPropFlag.bComplex = sal_True;
- if ( aPropFlag.bComplex && nContent && ( nComplexDataFilePos < aHd.GetRecEndFilePos() ) )
+ if ( aPropFlag.bComplex && nContent && ( nComplexDataFilePos < nEndOfRecord ) )
{
// normally nContent is the complete size of the complex property,
// but this is not always true for IMsoArrays ( what the hell is a IMsoArray ? )
@@ -1190,12 +1196,16 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly )
nContent += 6;
// check if array fits into the PropertyContainer
- if ( ( nComplexDataFilePos + nContent ) > aHd.GetRecEndFilePos() )
+ if ( nContent > nEndOfRecord - nComplexDataFilePos)
nContent = 0;
}
else
nContent = 0;
rIn.Seek( nOldPos );
+ } else {
+ // check if complex property fits into the PropertyContainer
+ if ( nContent > nEndOfRecord - nComplexDataFilePos)
+ nContent = 0;
}
if ( nContent )
{
@@ -1301,7 +1311,7 @@ bool DffPropSet::GetPropertyBool( sal_uInt32 nId, bool bDefault ) const
sal_Size nOldPos = rStrm.Tell();
::rtl::OUStringBuffer aBuffer;
sal_uInt32 nBufferSize = GetPropertyValue( nId );
- if( (nBufferSize > 0) && SeekToContent( nId, rStrm ) )
+ if( (nBufferSize > 0) && IsComplex( nId ) && SeekToContent( nId, rStrm ) )
{
sal_Int32 nStrLen = static_cast< sal_Int32 >( nBufferSize / 2 );
aBuffer.ensureCapacity( nStrLen );
More information about the Libreoffice-commits
mailing list