[Libreoffice-commits] core.git: sw/source

Wed Jan 10 12:57:44 UTC 2018

sw/source/filter/html/htmltab.cxx |    4 ++++
 sw/source/filter/html/swhtml.cxx  |    1 +
 sw/source/filter/html/swhtml.hxx  |   19 +++++++++++++++++++
 3 files changed, 24 insertions(+)

New commits:
commit 80074e280d95f0f72b8ba7fd8516203f6a2b7d5f
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jan 10 09:33:38 2018 +0000

    ofz#5211 limit table parsing depth
    
    Change-Id: I77b569faacc6f2655b050d09a236f78843e87560
    Reviewed-on: https://gerrit.libreoffice.org/47691
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/html/htmltab.cxx b/sw/source/filter/html/htmltab.cxx
index a92bd2212ab6..dbe5a5b7429b 100644
--- a/sw/source/filter/html/htmltab.cxx
+++ b/sw/source/filter/html/htmltab.cxx
@@ -5069,6 +5069,10 @@ std::shared_ptr<HTMLTable> SwHTMLParser::BuildTable(SvxAdjust eParentAdjust,
                                                     bool bHasParentSection,
                                                     bool bHasToFly)
 {
+    TableDepthGuard aGuard(*this);
+    if (aGuard.TooDeep())
+        eState = SvParserState::Error;
+
     if (!IsParserWorking() && !m_pPendStack)
         return std::shared_ptr<HTMLTable>();
 
diff --git a/sw/source/filter/html/swhtml.cxx b/sw/source/filter/html/swhtml.cxx
index 86a305b836a8..92e87c8fef1d 100644
--- a/sw/source/filter/html/swhtml.cxx
+++ b/sw/source/filter/html/swhtml.cxx
@@ -300,6 +300,7 @@ SwHTMLParser::SwHTMLParser( SwDoc* pD, SwPaM& rCursor, SvStream& rIn,
     m_bRemoveHidden( false ),
     m_bBodySeen( false ),
     m_bReadingHeaderOrFooter( false ),
+    m_nTableDepth( 0 ),
     m_pTempViewFrame(nullptr)
 {
     m_nEventId = nullptr;
diff --git a/sw/source/filter/html/swhtml.hxx b/sw/source/filter/html/swhtml.hxx
index 1be17ff43d78..c86150510428 100644
--- a/sw/source/filter/html/swhtml.hxx
+++ b/sw/source/filter/html/swhtml.hxx
@@ -493,6 +493,8 @@ class SwHTMLParser : public SfxHTMLParser, public SwClient
     bool m_bBodySeen : 1;
     bool m_bReadingHeaderOrFooter : 1;
 
+    sal_Int32 m_nTableDepth;
+
     /// the names corresponding to the DOCINFO field subtypes INFO[1-4]
     OUString m_InfoNames[4];
 
@@ -881,6 +883,23 @@ private:
 
     bool PendingObjectsInPaM(SwPaM& rPam) const;
 
+    class TableDepthGuard
+    {
+    private:
+        SwHTMLParser& m_rParser;
+    public:
+        TableDepthGuard(SwHTMLParser& rParser)
+            : m_rParser(rParser)
+        {
+            ++m_rParser.m_nTableDepth;
+        }
+        bool TooDeep() const { return m_rParser.m_nTableDepth > 2048; }
+        ~TableDepthGuard()
+        {
+            --m_rParser.m_nTableDepth;
+        }
+    };
+
 public:         // used in tables
 
     // Create brush item (with new) or 0
