check for ridiculous lengths and check stream status

Change-Id: Iefe943794e005f03b2a6ea5fc642b8c3d21b3334 (cherry picked from commit 858257d465b7e7ce54819cc2f631efcb20632863) Reviewed-on: https://gerrit.libreoffice.org/18174 Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>
author: Caolán McNamara <caolanm@redhat.com> 2015-08-31 13:21:19 +0100
committer: Miklos Vajna <vmiklos@collabora.co.uk> 2015-09-02 15:50:19 +0000
commit: 2284ada74ac0dd66b4f5e3e811a85fc6c458d13a (patch)
tree: 9f342ce7fc3a5febd716240a86687d98c6434eb2
parent: 58beafe8301349bfb4f7c83d2583cd4b37463480 (diff)
2 files changed, 13 insertions, 9 deletions
diff --git a/sw/qa/core/data/ww8/pass/hang-6.doc b/sw/qa/core/data/ww8/pass/hang-6.doc
new file mode 100644
index 000000000000..48293c5fa93e
--- /dev/null
+++ b/sw/qa/core/data/ww8/pass/hang-6.doc
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 2b0170b0921b..ad69a1f3aabd 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -677,16 +677,22 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                                              SEEK_FROM_CURRENT_AND_RESTART )
             && maShapeRecords.Current()->nRecLen )
         {
-            sal_uInt32  nBytesLeft = maShapeRecords.Current()->nRecLen;
-            sal_uInt32  nUDData;
-            sal_uInt16  nPID;
+            sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen;
+            auto nAvailableBytes = rSt.remainingSize();
+            if (nBytesLeft > nAvailableBytes)
+            {
+                SAL_WARN("sw.ww8", "Document claimed to have shape record of " << nBytesLeft << " bytes, but only " << nAvailableBytes << " available");
+                nBytesLeft = nAvailableBytes;
+            }
             while( 5 < nBytesLeft )
             {
-                rSt.ReadUInt16( nPID );
-                if ( rSt.GetError() != 0 )
+                sal_uInt16 nPID(0);
+                rSt.ReadUInt16(nPID);
+                sal_uInt32 nUDData(0);
+                rSt.ReadUInt32(nUDData);
+                if (!rSt.good())
                     break;
-                rSt.ReadUInt32( nUDData );
-                switch( nPID )
+                switch (nPID)
                 {
                     case 0x038F: pImpRec->nXAlign = nUDData; break;
                     case 0x0390:
@@ -714,8 +720,6 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                         pImpRec->isHorizontalRule = true;
                         break;
                 }
-                if ( rSt.GetError() != 0 )
-                    break;
                 nBytesLeft  -= 6;
             }
         }
author	Caolán McNamara <caolanm@redhat.com>	2015-08-31 13:21:19 +0100
committer	Miklos Vajna <vmiklos@collabora.co.uk>	2015-09-02 15:50:19 +0000
commit	2284ada74ac0dd66b4f5e3e811a85fc6c458d13a (patch)
tree	9f342ce7fc3a5febd716240a86687d98c6434eb2
parent	58beafe8301349bfb4f7c83d2583cd4b37463480 (diff)