[Libreoffice-commits] core.git: sw/source
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Wed Jul 25 12:57:13 UTC 2018
sw/source/filter/ww8/ww8scan.cxx | 14 ++++++++++++++
1 file changed, 14 insertions(+)
New commits:
commit 981ffeb876e3b3d898b00054ed5072035cf27c1a
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Jul 25 12:47:01 2018 +0100
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Wed Jul 25 14:56:48 2018 +0200
ofz#7886 reject bogus text offsets inside fib
Change-Id: I7e81d13c199301cc4a049081476feac6e1507bd0
Reviewed-on: https://gerrit.libreoffice.org/57972
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 97be35a40288..f2b1305be557 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1545,6 +1545,10 @@ WW8_CP WW8ScannerBase::WW8Fc2Cp( WW8_FC nFcPos ) const
return nFallBackCpEnd;
}
+// the fib of WinWord2 has a last entry of cpnBtePap of 2 byte sized type PN at
+// offset 324
+const int nSmallestPossibleFib = 326;
+
WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
WW8_CP* pNextPieceCp, bool* pTestFlag) const
{
@@ -1644,6 +1648,16 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
SAL_WARN("sw.ww8", "broken offset, ignoring");
return WW8_CP_MAX;
}
+
+ // the text and the fib share the same stream, if the text is inside the fib
+ // then its definitely a bad offset. The smallest FIB supported is that of
+ // WW2 which is 326 bytes in size
+ if (nRet < nSmallestPossibleFib)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ return WW8_CP_MAX;
+ }
+
return nRet;
}
More information about the Libreoffice-commits
mailing list