[Libreoffice-commits] core.git: Branch 'libreoffice-4-3' - filter/source

Fri, 28 Nov 2014 03:18:08 -0800 

 filter/source/msfilter/msdffimp.cxx |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

New commits:
commit a88078f6574057b7b54c25a8b0fc65bdb88dd2b1
Author: Andras Timar <andras.ti...@collabora.com>
Date:   Thu Nov 27 20:56:32 2014 +0100

    fdo#84686 prevent std::bad_alloc exception by stricter input check
    
    The bugdoc has invalid length (rh.recLen) in header of blipStore's
    OfficeArtFBSE record. Therefore LibreOffice read junk for the next
    BLIP, and tried to seek to an invalid stream position, which caused
    bad allocation exception on 32-bit systems.
    
    Change-Id: I72fae4c2b00216b57736f4409a32c62a40f25785
    (cherry picked from commit 6945971c79d70d77c5c8bb6593b3f25ef46b0887)
    Reviewed-on: https://gerrit.libreoffice.org/13158
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/filter/source/msfilter/msdffimp.cxx 
b/filter/source/msfilter/msdffimp.cxx
index 12ef20a..a96a9f6 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -5814,8 +5814,7 @@ void SvxMSDffManager::GetCtrlData( sal_uInt32 nOffsDgg_ )
 }
 
 
-// from here on: Drawing Group Container  i.e. Ddocument-wide valid data
-//                      =======================           ========
+// from here on: Drawing Group Container  i.e. document-wide valid data
 
 void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong 
nLenDgg )
 {
@@ -5855,7 +5854,7 @@ void SvxMSDffManager::GetDrawingGroupContainerData( 
SvStream& rSt, sal_uLong nLe
     {
         if(!this->ReadCommonRecordHeader( rSt, nVer, nInst, nFbt, nLength)) 
return;
         nRead += DFF_COMMON_RECORD_HEADER_SIZE + nLength;
-        if( DFF_msofbtBSE == nFbt )
+        if( DFF_msofbtBSE == nFbt && /* magic value from spec */ 0x2 == nVer )
         {
             nLenFBSE = nLength;
             // is FBSE big enough for our data
@@ -5892,8 +5891,9 @@ void SvxMSDffManager::GetDrawingGroupContainerData( 
SvStream& rSt, sal_uLong nLe
                 // now save the info for later access
                 pBLIPInfos->push_back( new SvxMSDffBLIPInfo( nInst, nBLIPPos, 
nBLIPLen ) );
             }
+            rSt.SeekRel( nLength );
         }
-        rSt.SeekRel( nLength );
+        else return; // invalid input
     }
     while( nRead < nLenBStoreCont );
 }

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to