summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2015-09-18 13:20:03 +0100
committerCaolán McNamara <caolanm@redhat.com>2015-09-18 13:20:03 +0100
commit7af19f45b35c428d3e06972806e5a05489f45955 (patch)
tree4ca8a97a70f66140e28fc34c87f39c71b1271475
parentf6368c29bdc3a9017bcae3f064d2cd8c7e37ed10 (diff)
check stream status and string lengths
Change-Id: I99f3d4a2ec760228f485d01fce856deb9c068431
-rw-r--r--sd/qa/unit/data/ppt/pass/hang-22.pptbin0 -> 15872 bytes
-rw-r--r--sd/source/filter/ppt/propread.cxx4
2 files changed, 3 insertions, 1 deletions
diff --git a/sd/qa/unit/data/ppt/pass/hang-22.ppt b/sd/qa/unit/data/ppt/pass/hang-22.ppt
new file mode 100644
index 000000000000..c869b39372bd
--- /dev/null
+++ b/sd/qa/unit/data/ppt/pass/hang-22.ppt
Binary files differ
diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index b76fbcaec5b4..03e05d0623bf 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -288,7 +288,9 @@ void Section::GetDictionary(Dictionary& rDict)
for (sal_uInt32 i = 0; i < nDictCount; ++i)
{
sal_uInt32 nId(0), nSize(0);
- aStream.ReadUInt32( nId ).ReadUInt32( nSize );
+ aStream.ReadUInt32(nId).ReadUInt32(nSize);
+ if (!aStream.good() || nSize > aStream.remainingSize())
+ break;
if (mnTextEnc == RTL_TEXTENCODING_UCS2)
nSize >>= 1;
if (!nSize)