connectivity/source/drivers/dbase/DTable.cxx | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
New commits:
commit 1516711eb7861a08cc9fd19ec867360737a6d070
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Sep 23 20:07:21 2021 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Thu Sep 23 21:58:58 2021 +0200
check if headersize is greater than available data
Change-Id: I5d78da49436c7dfbe7cfb50e52549b61abc00ee9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122542
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/connectivity/source/drivers/dbase/DTable.cxx
b/connectivity/source/drivers/dbase/DTable.cxx
index 51ad6110ec44..5259a4721fc3 100644
--- a/connectivity/source/drivers/dbase/DTable.cxx
+++ b/connectivity/source/drivers/dbase/DTable.cxx
@@ -495,10 +495,20 @@ void ODbaseTable::construct()
m_pFileStream = createStream_simpleError( sFileName, StreamMode::READ
| StreamMode::NOCREATE | StreamMode::SHARE_DENYNONE);
}
- if(!m_pFileStream)
+ if (!m_pFileStream)
return;
readHeader();
+
+ std::size_t nFileSize = lcl_getFileSize(*m_pFileStream);
+
+ if (m_aHeader.headerLength > nFileSize)
+ {
+ SAL_WARN("connectivity.drivers", "Parsing error: " << nFileSize <<
+ " max possible size, but " << m_aHeader.headerLength << "
claimed, abandoning");
+ return;
+ }
+
if (HasMemoFields())
{
// Create Memo-Filename (.DBT):
@@ -520,9 +530,9 @@ void ODbaseTable::construct()
if (m_pMemoStream)
ReadMemoHeader();
}
+
fillColumns();
- std::size_t nFileSize = lcl_getFileSize(*m_pFileStream);
m_pFileStream->Seek(STREAM_SEEK_TO_BEGIN);
// seems to be empty or someone wrote bullshit into the dbase file
// try and recover if m_aHeader.db_slng is sane
