[Libreoffice-commits] core.git: sw/source

[Caolán McNamara (via logerrit)]

 sw/source/filter/ww8/ww8par2.cxx |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

New commits:
commit 2313a43d78c9a172e709d56ed9a933f2a17c2f93
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Sep 1 14:30:11 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Wed Sep 1 20:26:11 2021 +0200

    ofz: MemorySanitizer: use-of-uninitialized-value
    
    Change-Id: I342465eb02709a7e07d3088ecbb427a7ae900d30
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121472
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index afa244ad5c87..074b908d213c 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -4138,10 +4138,19 @@ Word2CHPX ReadWord2Chpx(SvStream &rSt, std::size_t nOffset, sal_uInt8 nSize)
 {
     Word2CHPX aChpx;
 
-    if (!nSize)
+    if (!nSize || !checkSeek(rSt, nOffset))
         return aChpx;
 
-    rSt.Seek(nOffset);
+    const size_t nMaxByteCount = rSt.remainingSize();
+    if (!nMaxByteCount)
+        return aChpx;
+
+    if (nSize > nMaxByteCount)
+    {
+        SAL_WARN("sw.ww8", "ReadWord2Chpx: truncating out of range "
+            << nSize << " to " << nMaxByteCount);
+        nSize = nMaxByteCount;
+    }
 
     sal_uInt8 nCount=0;