[Libreoffice-commits] core.git: 2 commits - lotuswordpro/source sc/source

Caolán McNamara caolanm at redhat.com
Mon Feb 19 20:44:46 UTC 2018 

 lotuswordpro/source/filter/lwprowlayout.cxx   |    8 +++++++-
 lotuswordpro/source/filter/lwptablelayout.cxx |   12 ++++++++++--
 sc/source/filter/inc/qpro.hxx                 |    1 +
 sc/source/filter/qpro/qpro.cxx                |    4 +++-
 4 files changed, 21 insertions(+), 4 deletions(-)

New commits:
commit 3668960d94d21ad215c2cbe02f95560416b0a9e3
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Feb 19 14:47:24 2018 +0000

    ofz: infinite loop
    
    Change-Id: Ie515421f484c63d07f10e8551464c7dc11facb73
    Reviewed-on: https://gerrit.libreoffice.org/50001
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/lotuswordpro/source/filter/lwprowlayout.cxx b/lotuswordpro/source/filter/lwprowlayout.cxx
index 02d9d221b304..ca1f43979e09 100644
--- a/lotuswordpro/source/filter/lwprowlayout.cxx
+++ b/lotuswordpro/source/filter/lwprowlayout.cxx
@@ -140,12 +140,18 @@ void LwpRowLayout::RegisterStyle()
     LwpObjectID& rCellID= GetChildHead();
     LwpCellLayout * pCellLayout = dynamic_cast<LwpCellLayout *>(rCellID.obj().get());
 
-    while(pCellLayout)
+    std::set<LwpCellLayout*> aSeen;
+    while (pCellLayout)
     {
+        aSeen.insert(pCellLayout);
+
         pCellLayout->SetFoundry(m_pFoundry);
         pCellLayout->RegisterStyle();
         rCellID = pCellLayout->GetNext();
         pCellLayout = dynamic_cast<LwpCellLayout *>(rCellID.obj().get());
+
+        if (aSeen.find(pCellLayout) != aSeen.end())
+            throw std::runtime_error("loop in conversion");
     }
 
 }
diff --git a/lotuswordpro/source/filter/lwptablelayout.cxx b/lotuswordpro/source/filter/lwptablelayout.cxx
index 78d166574959..81ee8213ff16 100644
--- a/lotuswordpro/source/filter/lwptablelayout.cxx
+++ b/lotuswordpro/source/filter/lwptablelayout.cxx
@@ -1121,14 +1121,18 @@ void LwpTableLayout::PutCellVals(LwpFoundry* pFoundry, LwpObjectID aTableID)
         LwpRowList* pRowList = dynamic_cast<LwpRowList*>(aRowListID.obj().get());
 
         //loop the rowlist
-        while( nullptr!=pRowList)
+        std::set<LwpRowList*> aOuterSeen;
+        while (pRowList)
         {
+            aOuterSeen.insert(pRowList);
             sal_uInt16 nRowID =  pRowList->GetRowID();
             {
                 LwpCellList* pCellList = dynamic_cast<LwpCellList*>(pRowList->GetChildHeadID().obj().get());
                 //loop the cellList
-                while( nullptr!=pCellList)
+                std::set<LwpCellList*> aSeen;
+                while (pCellList)
                 {
+                    aSeen.insert(pCellList);
                     {//put cell
                         sal_uInt16 nColID = pCellList->GetColumnID();
 
@@ -1146,9 +1150,13 @@ void LwpTableLayout::PutCellVals(LwpFoundry* pFoundry, LwpObjectID aTableID)
                         }
                     }
                     pCellList = dynamic_cast<LwpCellList*>(pCellList->GetNextID().obj().get());
+                    if (aSeen.find(pCellList) != aSeen.end())
+                        throw std::runtime_error("loop in conversion");
                 }
             }
             pRowList = dynamic_cast<LwpRowList*>(pRowList->GetNextID().obj().get());
+            if (aOuterSeen.find(pRowList) != aOuterSeen.end())
+                throw std::runtime_error("loop in conversion");
         }
 
     }catch (...) {
commit 5f0eacd721bb98a49d6066c28d4d8fddd8fda292
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Feb 19 14:31:39 2018 +0000

    ofz#5991 limit num of qpro tabs for fuzzing
    
    Change-Id: Ifa205912ee0970657debdc17339e3df0c581a18f
    Reviewed-on: https://gerrit.libreoffice.org/49998
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sc/source/filter/inc/qpro.hxx b/sc/source/filter/inc/qpro.hxx
index 94d6c4325ddd..8bc67f04e901 100644
--- a/sc/source/filter/inc/qpro.hxx
+++ b/sc/source/filter/inc/qpro.hxx
@@ -38,6 +38,7 @@ class ScQProReader
     sal_uInt32 mnOffset;
     SvStream *mpStream;
     bool mbEndOfFile;
+    const SCTAB mnMaxTab;
 
 public:
     ScQProReader(SvStream* pStream);
diff --git a/sc/source/filter/qpro/qpro.cxx b/sc/source/filter/qpro/qpro.cxx
index e1b172ea53a4..10cdabe172c0 100644
--- a/sc/source/filter/qpro/qpro.cxx
+++ b/sc/source/filter/qpro/qpro.cxx
@@ -32,6 +32,7 @@
 #include <document.hxx>
 #include <formulacell.hxx>
 #include <tools/stream.hxx>
+#include <unotools/configmgr.hxx>
 #include <docoptio.hxx>
 #include <scdll.hxx>
 #include <memory>
@@ -142,6 +143,7 @@ ScQProReader::ScQProReader(SvStream* pStream)
     , mnOffset(0)
     , mpStream(pStream)
     , mbEndOfFile(false)
+    , mnMaxTab(utl::ConfigManager::IsFuzzing() ? 128 : MAXTAB)
 {
     if( mpStream )
     {
@@ -178,7 +180,7 @@ ErrCode ScQProReader::parse( ScDocument *pDoc )
                 break;
 
             case 0x00ca: // Beginning of sheet
-                if( nTab <= MAXTAB )
+                if (nTab <= mnMaxTab)
                 {
                     if( nTab < 26 )
                     {

More information about the Libreoffice-commits mailing list