[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/source sd/qa sd/source
filter/source/msfilter/svdfppt.cxx | 62 ---
sd/qa/unit/data/ppt/pass/hang-15.ppt |binary
sd/qa/unit/data/ppt/pass/hang-16.ppt |binary
sd/qa/unit/data/ppt/pass/hang-17.ppt |binary
sd/source/filter/ppt/pptin.cxx | 29 +++-
sd/source/filter/ppt/propread.cxx| 21 ++-
6 files changed, 76 insertions(+), 36 deletions(-)
New commits:
commit b45df6e4037556c3ee6ccdb4497762884fdb2327
Author: Caolán McNamara caol...@redhat.com
Date: Fri Aug 28 08:28:51 2015 +0100
check seeks and reads
Change-Id: I0c5c4784713376e0762bfbd197640f8d31b65562
(cherry picked from commit 1847753ab135f522df6a293a8539155437f0129f)
Reviewed-on: https://gerrit.libreoffice.org/18116
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com
diff --git a/filter/source/msfilter/svdfppt.cxx
b/filter/source/msfilter/svdfppt.cxx
index 40c3349..e1e14b8 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -782,7 +782,8 @@ SdrObject* SdrEscherImport::ProcessObj( SvStream rSt,
DffObjData rObjData, voi
}
break;
}
-aClientDataHd.SeekToEndOfRecord( rSt );
+if (!aClientDataHd.SeekToEndOfRecord(rSt))
+break;
}
}
if ( ( aPlaceholderAtom.nPlaceholderId ==
PPT_PLACEHOLDER_NOTESSLIDEIMAGE ) ( rPersistEntry.bNotesMaster == false ) )
@@ -1798,7 +1799,10 @@ SdrObject* SdrPowerPointImport::ImportOLE( long nOLEId,
break;
}
else
-aPlaceHd.SeekToEndOfRecord( rStCtrl );
+{
+if (!aPlaceHd.SeekToEndOfRecord(rStCtrl))
+break;
+}
}
}
@@ -2390,7 +2394,8 @@ bool SdrPowerPointImport::SeekToContentOfProgTag(
sal_Int32 nVersion, SvStream
}
}
}
-aProgTagBinaryDataHd.SeekToEndOfRecord( rSt );
+if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))
+break;
}
}
if ( !bRetValue )
@@ -2691,7 +2696,8 @@ void ImportComment10( SvxMSDffManager rMan, SvStream
rStCtrl, SdrPage* pPage,
}
break;
}
-aCommentHd.SeekToEndOfRecord( rStCtrl );
+if (!aCommentHd.SeekToEndOfRecord(rStCtrl))
+break;
}
Point aPosition( nPosX, nPosY );
rMan.Scale( aPosition );
@@ -2751,7 +2757,8 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
while( ( rStCtrl.GetError() == 0 ) SeekToRec(
rStCtrl, PPT_PST_Comment10, aContentDataHd.GetRecEndFilePos(), aComment10Hd ) )
{
ImportComment10( *this, rStCtrl, pRet,
aComment10Hd );
-aComment10Hd.SeekToEndOfRecord( rStCtrl );
+if (!aComment10Hd.SeekToEndOfRecord(rStCtrl))
+break;
}
}
}
@@ -2829,7 +2836,8 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
}
if ( aEscherObjListHd.nRecType ==
DFF_msofbtSpContainer )
break;
-aEscherObjListHd.SeekToEndOfRecord( rStCtrl );
+if (!aEscherObjListHd.SeekToEndOfRecord(rStCtrl))
+break;
}
// now importing page
@@ -2879,7 +2887,8 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
}
if ( aEscherObjListHd.nRecType ==
DFF_msofbtSpgrContainer )
break;
-aEscherObjListHd.SeekToEndOfRecord( rStCtrl );
+if (!aEscherObjListHd.SeekToEndOfRecord(rStCtrl))
+break;
}
if ( rSlidePersist.pBObj )
@@ -2895,7 +2904,8 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
}
break;
}
-aHd.SeekToEndOfRecord( rStCtrl );
+if (!aHd.SeekToEndOfRecord(rStCtrl))
+break;
}
if ( rSlidePersist.pSolverContainer )
SolveSolver( *rSlidePersist.pSolverContainer );
@@ -3115,7 +3125,8 @@ void SdrEscherImport::ImportHeaderFooterContainer(
DffRecordHeader rHd, HeaderF
}
break;
}
-aHd.SeekToEndOfRecord( rStCtrl );
+if (!aHd.SeekToEndOfRecord(rStCtrl))
+break;
}
}
@@ -3253,7 +3264,8 @@ PPTExtParaProv::PPTExtParaProv( SdrPowerPointImport
rMan, SvStream
[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/source sd/qa sd/source
filter/source/msfilter/svdfppt.cxx | 22 +-
sd/qa/unit/data/ppt/pass/hang-9.ppt |binary
sd/source/filter/ppt/pptin.cxx |8 +++-
3 files changed, 24 insertions(+), 6 deletions(-)
New commits:
commit f6e85ec2eb9263e804098aeade75bd9fe8f39b27
Author: Caolán McNamara caol...@redhat.com
Date: Thu Aug 27 14:22:23 2015 +0100
avoid loops in atom chains
(cherry picked from commit de71eae5807ff94c8eace0eccaabf1ffa08e77b6)
Change-Id: Icc40c0ee6c7d8d305cf7cc60cbf3e511c763aedd
Reviewed-on: https://gerrit.libreoffice.org/18080
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com
diff --git a/filter/source/msfilter/svdfppt.cxx
b/filter/source/msfilter/svdfppt.cxx
index 9a5ca61..b6693086 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -2541,11 +2541,17 @@ bool SdrPowerPointImport::GetColorFromPalette(
sal_uInt16 nNum, Color rColor )
while( ( pMasterPersist
pMasterPersist-aSlideAtom.nFlags 2 ) // it is possible that a masterpage
pMasterPersist-aSlideAtom.nMasterId )
// itself is following a master colorscheme
{
-sal_uInt16 nNextMaster = pMasterPages-FindPage(
pMasterPersist-aSlideAtom.nMasterId );
+auto nOrigMasterId =
pMasterPersist-aSlideAtom.nMasterId;
+sal_uInt16 nNextMaster =
pMasterPages-FindPage(nOrigMasterId);
if ( nNextMaster == PPTSLIDEPERSIST_ENTRY_NOTFOUND )
break;
else
pMasterPersist = (*pPageList2)[ nNextMaster ];
+if (pMasterPersist-aSlideAtom.nMasterId ==
nOrigMasterId)
+{
+SAL_WARN(filter.ms, loop in atom chain);
+break;
+}
}
}
if ( pMasterPersist )
@@ -2554,9 +2560,9 @@ bool SdrPowerPointImport::GetColorFromPalette( sal_uInt16
nNum, Color rColor )
}
}
}
-// resgister current color scheme
-((SdrPowerPointImport*)this)-nPageColorsNum = nAktPageNum;
-((SdrPowerPointImport*)this)-ePageColorsKind = eAktPageKind;
+// register current color scheme
+const_castSdrPowerPointImport*(this)-nPageColorsNum = nAktPageNum;
+const_castSdrPowerPointImport*(this)-ePageColorsKind = eAktPageKind;
}
rColor = aPageColors.GetColor( nNum );
return true;
@@ -2778,11 +2784,17 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
PptSlidePersistEntry* pE =
(*pPageList)[ nMasterNum ];
while( ( pE-aSlideAtom.nFlags 4
) pE-aSlideAtom.nMasterId )
{
-sal_uInt16 nNextMaster =
pMasterPages-FindPage( pE-aSlideAtom.nMasterId );
+auto nOrigMasterId =
pE-aSlideAtom.nMasterId;
+sal_uInt16 nNextMaster =
pMasterPages-FindPage(nOrigMasterId);
if ( nNextMaster ==
PPTSLIDEPERSIST_ENTRY_NOTFOUND )
break;
else
pE = (*pPageList)[
nNextMaster ];
+if (pE-aSlideAtom.nMasterId
== nOrigMasterId)
+{
+SAL_WARN(filter.ms,
loop in atom chain);
+break;
+}
}
if ( pE-nBackgroundOffset )
{
diff --git a/sd/qa/unit/data/ppt/pass/hang-9.ppt
b/sd/qa/unit/data/ppt/pass/hang-9.ppt
new file mode 100644
index 000..97e0158
Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/hang-9.ppt differ
diff --git a/sd/source/filter/ppt/pptin.cxx b/sd/source/filter/ppt/pptin.cxx
index db2a05c..5fe2bdc 100644
--- a/sd/source/filter/ppt/pptin.cxx
+++ b/sd/source/filter/ppt/pptin.cxx
@@ -725,11 +725,17 @@ bool ImplSdPPTImport::Import()
PptSlidePersistEntry* pE = pPersist;
while( ( pE-aSlideAtom.nFlags 4 )
pE-aSlideAtom.nMasterId )
{
-sal_uInt16 nNextMaster = pMasterPages-FindPage(
pE-aSlideAtom.nMasterId );
+auto nOrigMasterId = pE-aSlideAtom.nMasterId;
+
[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/source sd/qa sd/source
filter/source/msfilter/svdfppt.cxx | 112 ++--
sd/qa/unit/data/ppt/pass/hang-2.ppt |binary
sd/source/filter/ppt/propread.cxx |6 +
3 files changed, 74 insertions(+), 44 deletions(-)
New commits:
commit 1bb226646e4d3b6ee3b25511e3c9c79373874359
Author: Caolán McNamara caol...@redhat.com
Date: Wed Aug 26 14:26:40 2015 +0100
various hangs, check seeks and record lengths
(cherry picked from commit a8b2dc80c41022515c3a1df6f7ea245c3390dc39)
Change-Id: Ided7f9376f41ee8cb1f6903e54a2d51e0e07e1a7
Reviewed-on: https://gerrit.libreoffice.org/18026
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com
diff --git a/filter/source/msfilter/svdfppt.cxx
b/filter/source/msfilter/svdfppt.cxx
index fb6d3a6..0942060 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -706,6 +706,21 @@ void SdrEscherImport::RecolorGraphic( SvStream rSt,
sal_uInt32 nRecLen, Graphic
}
}
+namespace
+{
+sal_uLong SanitizeEndPos(SvStream rIn, sal_uLong nEndRecPos)
+{
+auto nStreamLen = rIn.Tell() + rIn.remainingSize();
+if (nEndRecPos nStreamLen)
+{
+SAL_WARN(filter.ms, Parsing error: nStreamLen
+ max end pos, but nEndRecPos claimed,
truncating);
+nEndRecPos = nStreamLen;
+}
+return nEndRecPos;
+}
+}
+
/* ProcessObject is called from ImplSdPPTImport::ProcessObj to handle all
application specific things,
such as the import of text, animation effects, header footer and
placeholder.
@@ -731,7 +746,8 @@ SdrObject* SdrEscherImport::ProcessObj( SvStream rSt,
DffObjData rObjData, voi
{
sal_Int16 nHeaderFooterInstance = -1;
DffRecordHeader aClientDataHd;
-while ( ( rSt.GetError() == 0 ) ( rSt.Tell()
maShapeRecords.Current()-GetRecEndFilePos() ) )
+auto nEndRecPos = SanitizeEndPos(rSt,
maShapeRecords.Current()-GetRecEndFilePos());
+while ( ( rSt.GetError() == 0 ) ( rSt.Tell() nEndRecPos ) )
{
ReadDffRecordHeader( rSt, aClientDataHd );
switch ( aClientDataHd.nRecType )
@@ -1342,9 +1358,8 @@ SdrPowerPointImport::SdrPowerPointImport(
PowerPointImportParam rParam, const O
while( nCurrentEditAtomStrmPos )
{
sal_uInt32 nPersistIncPos =
aCurrentEditAtom.nOffsetPersistDirectory;
-if ( nPersistIncPos )
+if (nPersistIncPos rStCtrl.Seek(nPersistIncPos) ==
nPersistIncPos)
{
-rStCtrl.Seek( nPersistIncPos );
DffRecordHeader aPersistHd;
ReadDffRecordHeader( rStCtrl, aPersistHd );
if ( aPersistHd.nRecType ==
PPT_PST_PersistPtrIncrementalBlock )
@@ -1774,8 +1789,10 @@ SdrObject* SdrPowerPointImport::ImportOLE( long nOLEId,
if ( ((SdrPowerPointImport*)this)-maShapeRecords.SeekToContent( rStCtrl,
DFF_msofbtClientData, SEEK_FROM_CURRENT_AND_RESTART ) )
{
DffRecordHeader aPlaceHd;
+
+auto nEndRecPos = SanitizeEndPos(rStCtrl,
const_castSdrPowerPointImport*(this)-maShapeRecords.Current()-GetRecEndFilePos());
while ( ( rStCtrl.GetError() == 0 )
- ( rStCtrl.Tell()
((SdrPowerPointImport*)this)-maShapeRecords.Current()-GetRecEndFilePos() ) )
+ ( rStCtrl.Tell() nEndRecPos ) )
{
ReadDffRecordHeader( rStCtrl, aPlaceHd );
if ( aPlaceHd.nRecType == PPT_PST_RecolorInfoAtom )
@@ -2632,7 +2649,9 @@ void ImportComment10( SvxMSDffManager rMan, SvStream
rStCtrl, SdrPage* pPage,
sal_Int32 nPosX = 0;
sal_Int32 nPosY = 0;
-while ( ( rStCtrl.GetError() == 0 ) ( rStCtrl.Tell()
rComment10Hd.GetRecEndFilePos() ) )
+
+auto nEndRecPos = SanitizeEndPos(rStCtrl, rComment10Hd.GetRecEndFilePos());
+while ( ( rStCtrl.GetError() == 0 ) ( rStCtrl.Tell() nEndRecPos ) )
{
DffRecordHeader aCommentHd;
ReadDffRecordHeader( rStCtrl, aCommentHd );
@@ -2707,7 +2726,8 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
{
rSlidePersist.pHeaderFooterEntry = new HeaderFooterEntry(
pMasterPersist );
ProcessData aProcessData( rSlidePersist, (SdPage*)pRet );
-while ( ( rStCtrl.GetError() == 0 ) ( rStCtrl.Tell()
aPageHd.GetRecEndFilePos() ) )
+auto nEndRecPos = SanitizeEndPos(rStCtrl, aPageHd.GetRecEndFilePos());
+while ( ( rStCtrl.GetError() == 0 ) ( rStCtrl.Tell() nEndRecPos )
)
{
DffRecordHeader aHd;
ReadDffRecordHeader( rStCtrl, aHd );
@@ -2742,7 +2762,8 @@ void SdrPowerPointImport::ImportPage( SdrPage* pRet,
const PptSlidePersistEntry*
sal_uInt32 nPPDrawOfs = rStCtrl.Tell();
// importing the background object
[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/source sd/qa sd/source
filter/source/msfilter/svdfppt.cxx | 14 --
sd/qa/unit/data/ppt/pass/hang-1.ppt |binary
sd/source/filter/ppt/pptin.cxx |7 ++-
3 files changed, 18 insertions(+), 3 deletions(-)
New commits:
commit 17795660145a30c6ccf1dd95c16726c60e50619a
Author: Caolán McNamara caol...@redhat.com
Date: Wed Aug 26 12:35:01 2015 +0100
don't hang on unreachable record ends
Change-Id: I288f7ff0327831603eda6e827c8acbae678dfaff
(cherry picked from commit cadac8400a018c8c566379f7767ea5edff78523d)
Reviewed-on: https://gerrit.libreoffice.org/18021
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com
diff --git a/filter/source/msfilter/svdfppt.cxx
b/filter/source/msfilter/svdfppt.cxx
index 94185f1..fb6d3a6 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -4072,8 +4072,18 @@ PPTStyleSheet::PPTStyleSheet( const DffRecordHeader
rSlideHd, SvStream rIn, Sd
}
rSlideHd.SeekToContent( rIn );
+
+auto nEndRecPos = rSlideHd.GetRecEndFilePos();
+auto nStreamLen = rIn.Tell() + rIn.remainingSize();
+if (nEndRecPos nStreamLen)
+{
+SAL_WARN(filter.ms, Parsing error: nStreamLen
+ max end pos, but nEndRecPos claimed, truncating);
+nEndRecPos = nStreamLen;
+}
+
DffRecordHeader aTxMasterStyleHd;
-while ( rIn.Tell() rSlideHd.GetRecEndFilePos() )
+while (rIn.Tell() nEndRecPos)
{
ReadDffRecordHeader( rIn, aTxMasterStyleHd );
if ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom )
@@ -4081,7 +4091,7 @@ PPTStyleSheet::PPTStyleSheet( const DffRecordHeader
rSlideHd, SvStream rIn, Sd
else
aTxMasterStyleHd.SeekToEndOfRecord( rIn );
}
-while ( ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom ) (
rIn.Tell() rSlideHd.GetRecEndFilePos() ) ) //TODO: aTxMasterStyleHd may be
used without having been properly initialized
+while ( ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom ) (
rIn.Tell() nEndRecPos ) ) //TODO: aTxMasterStyleHd may be used without having
been properly initialized
{
sal_uInt32 nInstance = aTxMasterStyleHd.nRecInstance;
if ( ( nInstance PPT_STYLESHEETENTRYS )
diff --git a/sd/qa/unit/data/ppt/pass/hang-1.ppt
b/sd/qa/unit/data/ppt/pass/hang-1.ppt
new file mode 100644
index 000..d30cb84
Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/hang-1.ppt differ
diff --git a/sd/source/filter/ppt/pptin.cxx b/sd/source/filter/ppt/pptin.cxx
index 64c64ba..06a89e6 100644
--- a/sd/source/filter/ppt/pptin.cxx
+++ b/sd/source/filter/ppt/pptin.cxx
@@ -813,7 +813,12 @@ bool ImplSdPPTImport::Import()
}
break;
}
-aHd.SeekToEndOfRecord( rStCtrl );
+bool bSuccess = aHd.SeekToEndOfRecord(rStCtrl);
+if (!bSuccess)
+{
+SAL_WARN(filter.ms, Count not seek to end of
record);
+break;
+}
}
}
rStCtrl.Seek( nFPosMerk );
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
