diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2014-01-11 22:09:07 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2014-01-11 22:16:48 +0100 |
commit | 4e4abd7e06425a468107a3f1ad6808a246cf2078 (patch) | |
tree | dc1ca65902c853f02846e5df88402d34a954fb6b | |
parent | 8d29a02d768872d83a43b9fe39e5482070229e5e (diff) |
Related: fdo#67386 RtfSdrExport: fix crash by respecting size of aVertices
Fix a crash that happened when nSeg was something huge, and we tried to
read uninitialized memory when reading more than nPropSize.
Change-Id: If9fe9e903678794106b10d8eb0dac6050b77d6b7
-rwxr-xr-x | sw/qa/core/exportdata/rtf/pass/fdo67386.doc | bin | 0 -> 204288 bytes | |||
-rw-r--r-- | sw/source/filter/ww8/rtfsdrexport.cxx | 19 |
2 files changed, 12 insertions, 7 deletions
diff --git a/sw/qa/core/exportdata/rtf/pass/fdo67386.doc b/sw/qa/core/exportdata/rtf/pass/fdo67386.doc Binary files differnew file mode 100755 index 000000000000..ecd3d13af217 --- /dev/null +++ b/sw/qa/core/exportdata/rtf/pass/fdo67386.doc diff --git a/sw/source/filter/ww8/rtfsdrexport.cxx b/sw/source/filter/ww8/rtfsdrexport.cxx index 5496639233e8..9a2f05152ace 100644 --- a/sw/source/filter/ww8/rtfsdrexport.cxx +++ b/sw/source/filter/ww8/rtfsdrexport.cxx @@ -115,13 +115,14 @@ inline sal_uInt16 impl_GetUInt16( const sal_uInt8* &pVal ) return nRet; } -inline sal_Int32 impl_GetPointComponent( const sal_uInt8* &pVal, sal_uInt16 nPointSize ) +inline sal_Int32 impl_GetPointComponent( const sal_uInt8* &pVal, sal_Size& rVerticesPos, sal_uInt16 nPointSize ) { sal_Int32 nRet = 0; if ( ( nPointSize == 0xfff0 ) || ( nPointSize == 4 ) ) { sal_uInt16 nUnsigned = *pVal++; nUnsigned += ( *pVal++ ) << 8; + rVerticesPos += 2; nRet = sal_Int16( nUnsigned ); } @@ -131,6 +132,7 @@ inline sal_Int32 impl_GetPointComponent( const sal_uInt8* &pVal, sal_uInt16 nPoi nUnsigned += ( *pVal++ ) << 8; nUnsigned += ( *pVal++ ) << 16; nUnsigned += ( *pVal++ ) << 24; + rVerticesPos += 4; nRet = nUnsigned; } @@ -261,6 +263,7 @@ void RtfSdrExport::Commit( EscherPropertyContainer& rProps, const Rectangle& rRe rProps.GetOpt( ESCHER_Prop_pSegmentInfo, aSegments ) ) { const sal_uInt8 *pVerticesIt = aVertices.pBuf + 6; + sal_Size nVerticesPos = 0; const sal_uInt8 *pSegmentIt = aSegments.pBuf; OStringBuffer aSegmentInfo( 512 ); @@ -283,8 +286,8 @@ void RtfSdrExport::Commit( EscherPropertyContainer& rProps, const Rectangle& rRe case 0x0001: // lineto case 0x4000: // moveto { - sal_Int32 nX = impl_GetPointComponent( pVerticesIt, nPointSize ); - sal_Int32 nY = impl_GetPointComponent( pVerticesIt, nPointSize ); + sal_Int32 nX = impl_GetPointComponent( pVerticesIt, nVerticesPos, nPointSize ); + sal_Int32 nY = impl_GetPointComponent( pVerticesIt, nVerticesPos, nPointSize ); aVerticies.append( ";(" ).append( nX ).append( "," ).append( nY ).append( ")" ); nVertices ++; } @@ -293,8 +296,8 @@ void RtfSdrExport::Commit( EscherPropertyContainer& rProps, const Rectangle& rRe { for (int i = 0; i < 3; i++) { - sal_Int32 nX = impl_GetPointComponent( pVerticesIt, nPointSize ); - sal_Int32 nY = impl_GetPointComponent( pVerticesIt, nPointSize ); + sal_Int32 nX = impl_GetPointComponent( pVerticesIt, nVerticesPos, nPointSize ); + sal_Int32 nY = impl_GetPointComponent( pVerticesIt, nVerticesPos, nPointSize ); aVerticies.append( ";(" ).append( nX ).append( "," ).append( nY ).append( ")" ); nVertices ++; } @@ -311,8 +314,10 @@ void RtfSdrExport::Commit( EscherPropertyContainer& rProps, const Rectangle& rRe // See EscherPropertyContainer::CreateCustomShapeProperties, by default nSeg is simply the number of points. for (int i = 0; i < nSeg; ++i) { - sal_Int32 nX = impl_GetPointComponent(pVerticesIt, nPointSize); - sal_Int32 nY = impl_GetPointComponent(pVerticesIt, nPointSize); + if (nVerticesPos >= aVertices.nPropSize) + break; + sal_Int32 nX = impl_GetPointComponent(pVerticesIt, nVerticesPos, nPointSize); + sal_Int32 nY = impl_GetPointComponent(pVerticesIt, nVerticesPos, nPointSize); aVerticies.append(";(").append(nX).append(",").append(nY).append(")"); ++nVertices; } |