ofz#3154 check bounds of special sprm

Change-Id: I82566e2f2ad479c392f06ae7149e3781c0338e50 Reviewed-on: https://gerrit.libreoffice.org/41631 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2017-08-28 12:13:41 +0100
committer: Michael Stahl <mstahl@redhat.com> 2017-08-28 16:24:41 +0200
commit: 0d6550f0fee06732d663b9763e18231dad4e42c5 (patch)
tree: 181e605b11201230fcee6d07aedac83bccc446e6
parent: 2f252e0cc62b7cf9d35ba1a427a3c0b4606cd0d1 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index e80ed34d4d13..ce322e6c0571 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -7953,8 +7953,17 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm,
             }
             break;
         case 0xD608:
-            nL = SVBT16ToShort( &pSprm[1 + mnDelta] );
+        {
+            sal_uInt8 nIndex = 1 + mnDelta;
+            if (nIndex + 1 >= nRemLen)
+            {
+                SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
+                nL = 0;
+            }
+            else
+                nL = SVBT16ToShort(&pSprm[nIndex]);
             break;
+        }
         default:
             switch (aSprm.nVari)
             {
author	Caolán McNamara <caolanm@redhat.com>	2017-08-28 12:13:41 +0100
committer	Michael Stahl <mstahl@redhat.com>	2017-08-28 16:24:41 +0200
commit	0d6550f0fee06732d663b9763e18231dad4e42c5 (patch)
tree	181e605b11201230fcee6d07aedac83bccc446e6
parent	2f252e0cc62b7cf9d35ba1a427a3c0b4606cd0d1 (diff)