[Libreoffice-commits] core.git: sw/source

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Wed Jul 25 12:57:13 UTC 2018


 sw/source/filter/ww8/ww8scan.cxx |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

New commits:
commit 981ffeb876e3b3d898b00054ed5072035cf27c1a
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Jul 25 12:47:01 2018 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Wed Jul 25 14:56:48 2018 +0200

    ofz#7886 reject bogus text offsets inside fib
    
    Change-Id: I7e81d13c199301cc4a049081476feac6e1507bd0
    Reviewed-on: https://gerrit.libreoffice.org/57972
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 97be35a40288..f2b1305be557 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1545,6 +1545,10 @@ WW8_CP WW8ScannerBase::WW8Fc2Cp( WW8_FC nFcPos ) const
     return nFallBackCpEnd;
 }
 
+// the fib of WinWord2 has a last entry of cpnBtePap of 2 byte sized type PN at
+// offset 324
+const int nSmallestPossibleFib = 326;
+
 WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
     WW8_CP* pNextPieceCp, bool* pTestFlag) const
 {
@@ -1644,6 +1648,16 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
         SAL_WARN("sw.ww8", "broken offset, ignoring");
         return WW8_CP_MAX;
     }
+
+    // the text and the fib share the same stream, if the text is inside the fib
+    // then its definitely a bad offset. The smallest FIB supported is that of
+    // WW2 which is 326 bytes in size
+    if (nRet < nSmallestPossibleFib)
+    {
+        SAL_WARN("sw.ww8", "broken offset, ignoring");
+        return WW8_CP_MAX;
+    }
+
     return nRet;
 }
 


More information about the Libreoffice-commits mailing list