sw/source/filter/ww8/ww8scan.cxx | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
New commits:
commit 016e4d0e2650b2fb350068d86e8d392a7ef5acb1
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri May 12 11:38:22 2017 +0100
ofz: sanity check L_VAR2 record bounds
Change-Id: I862457a7239108974f360a87b4f6ccf433eae364
Reviewed-on: https://gerrit.libreoffice.org/37534
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 04060366a1c1..b8b5eac1853e 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -7956,10 +7956,21 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId,
const sal_uInt8* pSprm,
nL = static_cast< sal_uInt16 >(pSprm[1 + mnDelta] +
aSprm.nLen);
break;
case L_VAR2:
+ {
// Variable 2-Byte Length?
// Excl. Token + Var-Lengthbyte
- nL = static_cast< sal_uInt16 >(SVBT16ToShort( &pSprm[1 +
mnDelta] ) + aSprm.nLen - 1);
+ sal_uInt8 nIndex = 1 + mnDelta;
+ sal_uInt16 nCount;
+ if (nIndex + 1 >= nRemLen)
+ {
+ SAL_WARN("sw.ww8", "sprm longer than remaining bytes,
doc or parser is wrong");
+ nCount = 0;
+ }
+ else
+ nCount = SVBT16ToShort(&pSprm[nIndex]);
+ nL = static_cast< sal_uInt16 >(nCount + aSprm.nLen - 1);
break;
+ }
default:
OSL_ENSURE(false, "Unknown sprm variant");
break;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
