summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2017-04-03 20:36:06 +0100
committerAndras Timar <andras.timar@collabora.com>2017-04-23 21:34:40 +0200
commit220a2bd6b3b12b76e4c790a73f731686377ddefc (patch)
tree1f6338086d27249fc3be5cd41e743f2429ec3ab6
parent8231ca61ed85744a392f83a095e64fae6f2a4c77 (diff)
ofz: check anlv text bounds
Change-Id: I6288aae2d439cde6a2b95c005a2090f73e21bb7a (cherry picked from commit 3feabd87ad8066b45b55d61cd72684e47fd79082) Reviewed-on: https://gerrit.libreoffice.org/36052 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com> (cherry picked from commit 18690fd4b7fdb3244cbc3dd4e711a9230bcef00e) (cherry picked from commit ab81b03391db0489c21c2bd063cbe42e534b87c4)
-rw-r--r--sw/source/filter/ww8/ww8par.hxx2
-rw-r--r--sw/source/filter/ww8/ww8par2.cxx29
-rw-r--r--sw/source/filter/ww8/ww8struc.hxx2
3 files changed, 26 insertions, 7 deletions
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index e2c7e38424ca..a31bab2234c8 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1562,7 +1562,7 @@ private:
// die Strukturen hierfuer sind: LSTF, LVLF, LFO LFOLVL
void SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV, const sal_uInt8* pText,
- bool bOutline);
+ size_t nStart, size_t nElements, bool bOutline);
void SetAnld(SwNumRule* pNumR, WW8_ANLD const * pAD, sal_uInt8 nSwLevel, bool bOutLine);
void SetNumOlst( SwNumRule* pNumR, WW8_OLST* pO, sal_uInt8 nSwLevel );
SwNumRule* GetStyRule();
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 66baa458910c..c1e3ab02e2fd 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -633,8 +633,14 @@ static void SetBaseAnlv(SwNumFormat &rNum, WW8_ANLV const &rAV, sal_uInt8 nSwLev
}
void SwWW8ImplReader::SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV,
- const sal_uInt8* pText, bool bOutline)
+ const sal_uInt8* pText, size_t nStart, size_t nElements, bool bOutline)
{
+ if (nStart > nElements)
+ return;
+
+ pText += nStart;
+ nElements -= nStart;
+
bool bInsert = false; // Default
rtl_TextEncoding eCharSet = m_eStructCharSet;
@@ -642,13 +648,26 @@ void SwWW8ImplReader::SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV,
bool bListSymbol = pF && ( pF->chs == 2 ); // Symbol/WingDings/...
OUString sText;
+ sal_uInt32 nLen = rAV.cbTextBefore + rAV.cbTextAfter;
if (m_bVer67)
{
- sText = OUString(reinterpret_cast<char const *>(pText), rAV.cbTextBefore + rAV.cbTextAfter, eCharSet);
+ if (nLen > nElements)
+ {
+ SAL_WARN("sw.ww8", "SetAnlvStrings: ignoring out of range "
+ << nLen << " vs " << nElements << " max");
+ return;
+ }
+ sText = OUString(reinterpret_cast<char const *>(pText), nLen, eCharSet);
}
else
{
- for(sal_Int32 i = 0; i < rAV.cbTextBefore + rAV.cbTextAfter; ++i, pText += 2)
+ if (nLen > nElements / 2)
+ {
+ SAL_WARN("sw.ww8", "SetAnlvStrings: ignoring out of range "
+ << nLen << " vs " << nElements / 2 << " max");
+ return;
+ }
+ for(sal_uInt32 i = 0; i < nLen; ++i, pText += 2)
{
sText += OUString(SVBT16ToShort(*reinterpret_cast<SVBT16 const *>(pText)));
}
@@ -733,7 +752,7 @@ void SwWW8ImplReader::SetAnld(SwNumRule* pNumR, WW8_ANLD const * pAD, sal_uInt8
m_bAktAND_fNumberAcross = 0 != pAD->fNumberAcross;
WW8_ANLV const &rAV = pAD->eAnlv;
SetBaseAnlv(aNF, rAV, nSwLevel); // set the base format
- SetAnlvStrings(aNF, rAV, pAD->rgchAnld, bOutLine ); // set the rest
+ SetAnlvStrings(aNF, rAV, pAD->rgchAnld, 0, SAL_N_ELEMENTS(pAD->rgchAnld), bOutLine); // set the rest
}
pNumR->Set(nSwLevel, aNF);
}
@@ -863,7 +882,7 @@ void SwWW8ImplReader::SetNumOlst(SwNumRule* pNumR, WW8_OLST* pO, sal_uInt8 nSwLe
if (!m_bVer67)
nTextOfs *= 2;
- SetAnlvStrings(aNF, rAV, pO->rgch + nTextOfs, true); // and apply
+ SetAnlvStrings(aNF, rAV, pO->rgch, nTextOfs, SAL_N_ELEMENTS(pO->rgch), true); // and apply
pNumR->Set(nSwLevel, aNF);
}
diff --git a/sw/source/filter/ww8/ww8struc.hxx b/sw/source/filter/ww8/ww8struc.hxx
index 08d80c77558b..e0d483728fc0 100644
--- a/sw/source/filter/ww8/ww8struc.hxx
+++ b/sw/source/filter/ww8/ww8struc.hxx
@@ -671,7 +671,7 @@ struct WW8_ANLD
sal_uInt8 fNumberAcross; // 0x11 number across cells in table rows(instead of down)
sal_uInt8 fRestartHdn; // 0x12 restart heading number on section boundary
sal_uInt8 fSpareX; // 0x13 unused( should be 0)
- sal_uInt8 rgchAnld[32]; // 0x14 characters displayed before/after autonumber
+ sal_uInt8 rgchAnld[32]; // 0x14 characters displayed before/after autonumber
};
struct WW8_OLST