[Libreoffice-commits] core.git: sw/source

Fri Jul 9 19:44:08 UTC 2021

sw/source/filter/ww8/ww8scan.cxx |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

New commits:
commit af2d477a30c197be5fbfa54022343f7a559b35cf
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Jul 9 14:51:23 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Fri Jul 9 21:43:34 2021 +0200

    ofz: OOM
    
    these old ww7- font names are supposed to be limited to maxStrSize
    
    Change-Id: Ide316a09d97d535b6cbc2911466df12f37e703cf
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118689
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 657cf60026c9..b8ea323e434d 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -7206,16 +7206,17 @@ namespace
         return true;
     }
 
-    sal_Int32 getStringLength(
-        sal_uInt8 const * p, std::size_t offset, sal_uInt8 const * pEnd)
+    sal_Int32 getStringLengthWithMax(
+        sal_uInt8 const * p, std::size_t offset, sal_uInt8 const * pEnd, std::size_t maxchars)
     {
         assert(p <= pEnd);
         assert(pEnd - p <= SAL_MAX_INT32);
         if (offset >= o3tl::make_unsigned(pEnd - p)) {
             return -1;
         }
-        void const * p2 = std::memchr(
-            p + offset, 0, static_cast<std::size_t>(pEnd - p) - offset);
+        std::size_t nbytes = static_cast<std::size_t>(pEnd - p) - offset;
+        std::size_t nsearch = std::min(nbytes, maxchars + 1);
+        void const * p2 = std::memchr(p + offset, 0, nsearch);
         if (p2 == nullptr) {
             return -1;
         }
@@ -7315,7 +7316,7 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fib const & rFib )
                     eEnc = RTL_TEXTENCODING_MS_1252;
 
                 const size_t nStringOffset = 1 + 2;
-                sal_Int32 n = getStringLength(pVer2, nStringOffset, pEnd);
+                sal_Int32 n = getStringLengthWithMax(pVer2, nStringOffset, pEnd, maxStrSize);
                 if (n == -1) {
                     break;
                 }
@@ -7367,7 +7368,7 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fib const & rFib )
                 if ((eEnc == RTL_TEXTENCODING_SYMBOL) || (eEnc == RTL_TEXTENCODING_DONTKNOW))
                     eEnc = RTL_TEXTENCODING_MS_1252;
                 const size_t nStringOffset = offsetof(WW8_FFN_Ver6, szFfn);
-                sal_Int32 n = getStringLength(pVer6, nStringOffset, pEnd);
+                sal_Int32 n = getStringLengthWithMax(pVer6, nStringOffset, pEnd, maxStrSize);
                 if (n == -1) {
                     break;
                 }
@@ -7375,7 +7376,7 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fib const & rFib )
                 if (p->aFFNBase.ibszAlt && p->aFFNBase.ibszAlt < maxStrSize) //don't start after end of string
                 {
                     const size_t nAltStringOffset = offsetof(WW8_FFN_Ver6, szFfn) + p->aFFNBase.ibszAlt;
-                    n = getStringLength(pVer6, nAltStringOffset, pEnd);
+                    n = getStringLengthWithMax(pVer6, nAltStringOffset, pEnd, maxStrSize);
                     if (n == -1) {
                         break;
                     }
