ofz: check olst sprm for valid ANLD payload len

Change-Id: Ic1b6681a3f48ef0fe3f52eda9db8b7bc003ded55 (cherry picked from commit 98151bf95bda8d647310bdba6936dc6b388b05de) Reviewed-on: https://gerrit.libreoffice.org/36099 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Michael Stahl <mstahl@redhat.com> (cherry picked from commit d79935cb3154ca86aca01043d7c196cc161db67b) (cherry picked from commit 0dea48ffb43efec165bce34dd85e732b52e903b0)
author: Caolán McNamara <caolanm@redhat.com> 2017-04-04 19:13:12 +0100
committer: Andras Timar <andras.timar@collabora.com> 2017-04-23 21:36:24 +0200
commit: 797d88acc377d44396d6a4ec50630d910d703712 (patch)
tree: 9b4b036f398d40ce3414347ca8256c2b6b741331
parent: 786cbde1e7ae741d9a5160ae8fe35fcc7d67b007 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 4d7da746b58a..5b1d2faeb094 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -905,6 +905,14 @@ void SwWW8ImplReader::Read_OLST( sal_uInt16, const sal_uInt8* pData, short nLen
         m_pNumOlst = 0;
         return;
     }
+
+    if (static_cast<size_t>(nLen) < sizeof(WW8_OLST))
+    {
+        SAL_WARN("sw.ww8", "WW8_OLST property is " << nLen << " long, needs to be at least " << sizeof(WW8_OLST));
+        m_pNumOlst = nullptr;
+        return;
+    }
+
     m_pNumOlst = new WW8_OLST;
     if( nLen < sal::static_int_cast< sal_Int32 >(sizeof( WW8_OLST )) )   // fill if to short
         memset( m_pNumOlst, 0, sizeof( *m_pNumOlst ) );
author	Caolán McNamara <caolanm@redhat.com>	2017-04-04 19:13:12 +0100
committer	Andras Timar <andras.timar@collabora.com>	2017-04-23 21:36:24 +0200
commit	797d88acc377d44396d6a4ec50630d910d703712 (patch)
tree	9b4b036f398d40ce3414347ca8256c2b6b741331
parent	786cbde1e7ae741d9a5160ae8fe35fcc7d67b007 (diff)