[Libreoffice-commits] core.git: oox/source
Caolán McNamara (via logerrit)
logerrit at kemper.freedesktop.org
Fri Aug 28 20:02:37 UTC 2020
oox/source/crypto/DocumentDecryption.cxx | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
New commits:
commit 7a8952726c14a268fac04e0163dca83f2ba8d604
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Aug 28 20:08:00 2020 +0100
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Fri Aug 28 22:01:51 2020 +0200
ofz#24770 oom
Change-Id: I0ccae77753fa9a1efb9cb405920f8ee8ffe9fbb2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/101565
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/oox/source/crypto/DocumentDecryption.cxx b/oox/source/crypto/DocumentDecryption.cxx
index c566426267ff..feec8de10691 100644
--- a/oox/source/crypto/DocumentDecryption.cxx
+++ b/oox/source/crypto/DocumentDecryption.cxx
@@ -110,6 +110,8 @@ bool DocumentDecryption::readEncryptionInfo()
if (xDataSpaceMap.is())
{
+ bool bBroken = false;
+
BinaryXInputStream aDataSpaceStream(xDataSpaceMap, true);
sal_uInt32 aHeaderLength = aDataSpaceStream.readuInt32();
SAL_WARN_IF(aHeaderLength != 8, "oox", "DataSpaceMap length != 8 is not supported. Some content may be skipped");
@@ -117,30 +119,44 @@ bool DocumentDecryption::readEncryptionInfo()
SAL_WARN_IF(aEntryCount != 1, "oox", "DataSpaceMap contains more than one entry. Some content may be skipped");
// Read each DataSpaceMapEntry (MS-OFFCRYPTO 2.1.6.1)
- for (sal_uInt32 i = 0; i < aEntryCount && !aDataSpaceStream.isEof(); i++)
+ for (sal_uInt32 i = 0; i < aEntryCount && !bBroken; i++)
{
// entryLen unused for the moment
aDataSpaceStream.skip(sizeof(sal_uInt32));
// Read each DataSpaceReferenceComponent (MS-OFFCRYPTO 2.1.6.2)
sal_uInt32 aReferenceComponentCount = aDataSpaceStream.readuInt32();
- for (sal_uInt32 j = 0; j < aReferenceComponentCount && !aDataSpaceStream.isEof(); j++)
+ for (sal_uInt32 j = 0; j < aReferenceComponentCount && !bBroken; j++)
{
// Read next reference component
// refComponentType unused for the moment
aDataSpaceStream.skip(sizeof(sal_uInt32));
sal_uInt32 aReferenceComponentNameLength = aDataSpaceStream.readuInt32();
// sReferenceComponentName unused for the moment
+ if (aDataSpaceStream.getRemaining() < aReferenceComponentNameLength)
+ {
+ bBroken = true;
+ break;
+ }
aDataSpaceStream.readUnicodeArray(aReferenceComponentNameLength / 2);
aDataSpaceStream.skip((4 - (aReferenceComponentNameLength & 3)) & 3); // Skip padding
+
+ bBroken |= aDataSpaceStream.isEof();
}
sal_uInt32 aDataSpaceNameLength = aDataSpaceStream.readuInt32();
+ if (aDataSpaceStream.getRemaining() < aDataSpaceNameLength)
+ {
+ bBroken = true;
+ break;
+ }
sDataSpaceName = aDataSpaceStream.readUnicodeArray(aDataSpaceNameLength / 2);
aDataSpaceStream.skip((4 - (aDataSpaceNameLength & 3)) & 3); // Skip padding
+
+ bBroken |= aDataSpaceStream.isEof();
}
- if (aDataSpaceStream.isEof())
+ if (bBroken)
{
SAL_WARN("oox", "EOF on parsing DataSpaceMapEntry table");
return false;
More information about the Libreoffice-commits
mailing list