[Libreoffice-commits] core.git: sw/source

Caolán McNamara caolanm at redhat.com
Sun Mar 18 16:48:34 UTC 2018 

 sw/source/filter/ww8/ww8par.hxx  |    2 +-
 sw/source/filter/ww8/ww8par5.cxx |    6 +++---
 sw/source/filter/ww8/ww8scan.cxx |   24 ++++++++++++++++++++++--
 sw/source/filter/ww8/ww8scan.hxx |    6 +++---
 4 files changed, 29 insertions(+), 9 deletions(-)

New commits:
commit dfe797e8a54f49270f25043dda5fdd95d8fbc4ff
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Sat Mar 17 17:44:35 2018 +0000

    ofz#6990 Integer-overflow
    
    Change-Id: Ie6a29b44c3b8fb984801d6bc36eb60f45d2f00d4
    Reviewed-on: https://gerrit.libreoffice.org/51467
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 1460083b85eb..a7153844ec71 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1617,7 +1617,7 @@ private:
     void MakeTagString( OUString& rStr, const OUString& rOrg );
     void UpdateFields();
     OUString ConvertFFileName(const OUString& rRaw);
-    long Read_F_Tag( WW8FieldDesc* pF );
+    WW8_CP Read_F_Tag(WW8FieldDesc* pF);
     void InsertTagField( const sal_uInt16 nId, const OUString& rTagText );
     long ImportExtSprm(WW8PLCFManResult* pRes);
     void EndExtSprm(sal_uInt16 nSprmId);
diff --git a/sw/source/filter/ww8/ww8par5.cxx b/sw/source/filter/ww8/ww8par5.cxx
index 82b4c2b8c2ec..f47be7dcfcda 100644
--- a/sw/source/filter/ww8/ww8par5.cxx
+++ b/sw/source/filter/ww8/ww8par5.cxx
@@ -1131,12 +1131,12 @@ void SwWW8ImplReader::InsertTagField( const sal_uInt16 nId, const OUString& rTag
     }
 }
 
-long SwWW8ImplReader::Read_F_Tag( WW8FieldDesc* pF )
+WW8_CP SwWW8ImplReader::Read_F_Tag( WW8FieldDesc* pF )
 {
     long nOldPos = m_pStrm->Tell();
 
     WW8_CP nStart = pF->nSCode - 1;         // starting with 0x19
-    long nL = pF->nLen;                     // Total length with result and nest
+    WW8_CP nL = pF->nLen;                     // Total length with result and nest
     if( nL > MAX_FIELDLEN )
         nL = MAX_FIELDLEN;                  // MaxLength, by quoting
                                             // max. 4 times as big
@@ -1196,7 +1196,7 @@ OUString SwWW8ImplReader::GetFieldResult( WW8FieldDesc const * pF )
     long nOldPos = m_pStrm->Tell();
 
     WW8_CP nStart = pF->nSRes;              // result start
-    long nL = pF->nLRes;                    // result length
+    WW8_CP nL = pF->nLRes;                    // result length
     if( !nL )
         return OUString();                  // no result
 
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index f6b4a84a3a8f..3f7565a1885b 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1994,13 +1994,33 @@ static bool WW8GetFieldPara(WW8PLCFspecial& rPLCF, WW8FieldDesc& rF)
             if (!rPLCF.Get(rF.nLRes, pData) || rF.nLRes < 0)
                 goto Err;
         }
-        rF.nLen = rF.nLRes - rF.nSCode + 2;         // nLRes is still the final position
+        WW8_CP nTmp;
+        if (o3tl::checked_sub<WW8_CP>(rF.nLRes, rF.nSCode, nTmp))
+        {
+            rF.nLen = 0;
+            goto Err;
+        }
+        if (o3tl::checked_add<WW8_CP>(nTmp, 2, rF.nLen)) // nLRes is still the final position
+        {
+            rF.nLen = 0;
+            goto Err;
+        }
         rF.nLRes -= rF.nSRes;                       // now: nLRes = length
         rF.nSRes++;                                 // Endpos including Markers
         rF.nLRes--;
     }else{
         rF.nLRes = 0;                               // no result found
-        rF.nLen = rF.nSRes - rF.nSCode + 2;         // total length
+        WW8_CP nTmp;
+        if (o3tl::checked_sub<WW8_CP>(rF.nSRes, rF.nSCode, nTmp))
+        {
+            rF.nLen = 0;
+            goto Err;
+        }
+        if (o3tl::checked_add<WW8_CP>(nTmp, 2, rF.nLen)) // total length
+        {
+            rF.nLen = 0;
+            goto Err;
+        }
     }
 
     if (rF.nLen < 0)
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index fbaae0131eae..c9216ed1cbe6 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -194,13 +194,13 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen
 
 struct WW8FieldDesc
 {
-    long nLen;              ///< total length (to skip over text)
+    WW8_CP nLen;            ///< total length (to skip over text)
     WW8_CP nSCode;          ///< start of instructions code
     WW8_CP nLCode;          ///< length
     WW8_CP nSRes;           ///< start of result
     WW8_CP nLRes;           ///< length ( == 0, if no result )
-    sal_uInt16 nId;             ///< WW-id for fields
-    sal_uInt8 nOpt;              ///< WW-Flags ( e.g.: changed by user )
+    sal_uInt16 nId;         ///< WW-id for fields
+    sal_uInt8 nOpt;         ///< WW-Flags ( e.g.: changed by user )
     bool bCodeNest:1;       ///< instruction used recursively
     bool bResNest:1;        ///< instruction inserted into result
 };

More information about the Libreoffice-commits mailing list