[Libreoffice-commits] core.git: sw/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Mon Oct 12 07:47:25 UTC 2020


 sw/source/filter/ww8/ww8scan.cxx |   35 +++++++++++++++++++++++++++++++++--
 sw/source/filter/ww8/ww8scan.hxx |    4 ++++
 2 files changed, 37 insertions(+), 2 deletions(-)

New commits:
commit 4e56a0a4b60f293cfddda67af68352de36ccc1ef
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Sat Oct 10 21:17:44 2020 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Mon Oct 12 09:46:47 2020 +0200

    ofz#23523 Timeout processing huge SEPX full of non-SEP properties
    
    ignore properties in SEPX which aren't section properties
    
    Change-Id: I191acbd8d602d0c59ce541cecb847d7d57c1bc3a
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/104178
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 1b3c738823bd..65a5818abb48 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -5182,6 +5182,34 @@ namespace
     }
 }
 
+bool WW8PLCFMan::IsSprmLegalForCategory(sal_uInt16 nSprmId, short nIdx) const
+{
+    const WW8PLCFxDesc* p = &m_aD[nIdx];
+    if (p != m_pSep) // just check sep for now
+        return true;
+
+    bool bRet;
+    ww::WordVersion eVersion = maSprmParser.GetFIBVersion();
+    if (eVersion <= ww::eWW2)
+    {
+        bRet = nSprmId >= 112 && nSprmId <= 145;
+        SAL_WARN_IF(!bRet, "sw.ww8", "sprm, id " << nSprmId << " wrong category for section properties");
+        assert(bRet && "once off crashtesting scan for real world cases");
+    }
+    else if (eVersion < ww::eWW8) // just check ww6/7 for now
+    {
+        bRet = nSprmId >= NS_sprm::v6::sprmSScnsPgn && nSprmId <= NS_sprm::v6::sprmSDMPaperReq;
+        SAL_WARN_IF(!bRet, "sw.ww8", "sprm, id " << nSprmId << " wrong category for section properties");
+    }
+    else
+    {
+        // we could pull the sgc from the SprmId in this case
+        bRet = true;
+    }
+
+    return bRet;
+}
+
 void WW8PLCFMan::GetSprmStart( short nIdx, WW8PLCFManResult* pRes ) const
 {
     memset( pRes, 0, sizeof( WW8PLCFManResult ) );
@@ -5209,7 +5237,7 @@ void WW8PLCFMan::GetSprmStart( short nIdx, WW8PLCFManResult* pRes ) const
     {
         // Length of actual sprm
         pRes->nMemLen = maSprmParser.GetSprmSize(pRes->nSprmId, pRes->pMemPos, p->nSprmsLen);
-        if (!IsSizeLegalCheckSize(pRes->nMemLen, p->nSprmsLen))
+        if (!IsSizeLegalCheckSize(pRes->nMemLen, p->nSprmsLen) || !IsSprmLegalForCategory(pRes->nSprmId, nIdx))
         {
             pRes->nSprmId = 0;
         }
@@ -5306,7 +5334,10 @@ void WW8PLCFMan::AdvSprm(short nIdx, bool bStart)
     if( bStart )
     {
         const sal_uInt16 nLastId = GetId(p);
-        p->pIdStack->push(nLastId);   // remember Id for attribute end
+
+        const sal_uInt16 nLastAttribStarted = IsSprmLegalForCategory(nLastId, nIdx) ? nLastId : 0;
+
+        p->pIdStack->push(nLastAttribStarted);   // remember Id for attribute end
 
         if( p->nSprmsLen )
         {   /*
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index 0b606d316e95..edf22104f65b 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -147,6 +147,8 @@ public:
     /// Returns the offset to data of the first sprm of id nId, 0
     //  if not found. nLen must be the <= length of pSprms
     SprmResult findSprmData(sal_uInt16 nId, sal_uInt8* pSprms, sal_Int32 nLen) const;
+
+    ww::WordVersion GetFIBVersion() const { return meVersion; }
 };
 
 //Read a Pascal-style, i.e. single byte string length followed
@@ -962,6 +964,8 @@ private:
     void AdvNoSprm(short nIdx, bool bStart);
     sal_uInt16 GetId(const WW8PLCFxDesc* p ) const;
 
+    bool IsSprmLegalForCategory(sal_uInt16 nSprmId, short nIdx) const;
+
 public:
     WW8PLCFMan(const WW8ScannerBase* pBase, ManTypes nType, long nStartCp,
         bool bDoingDrawTextBox = false);


More information about the Libreoffice-commits mailing list