summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Mohrhard <markus.mohrhard@googlemail.com>2012-07-05 21:59:55 +0200
committerMarkus Mohrhard <markus.mohrhard@googlemail.com>2012-07-05 22:56:32 +0200
commitb45e528cb70d1f908b8ff6ec156ac1a816287075 (patch)
treeb04f00cd571ee31da36ccf6a25d3a58582edf66a
parent3988c35c9635dfc38f6a2125e5664f60f164951b (diff)
prevent invalid memory when loading change tracking from xls, fdo#45209
when loading broken xls files with change tracking we may crash because of invalid memory access that results from loading to few bytes and then using the originally created array the patch changes it to check for the right amount of loaded bytes and otherwise skips this change tracking record Change-Id: I0795104284479368e26b8411336cee690abffd06
-rw-r--r--sc/source/filter/excel/xistream.cxx4
-rw-r--r--sc/source/filter/xcl97/XclImpChangeTrack.cxx13
2 files changed, 15 insertions, 2 deletions
diff --git a/sc/source/filter/excel/xistream.cxx b/sc/source/filter/excel/xistream.cxx
index 753839cada2b..8cd9980821ec 100644
--- a/sc/source/filter/excel/xistream.cxx
+++ b/sc/source/filter/excel/xistream.cxx
@@ -822,7 +822,9 @@ sal_Size XclImpStream::CopyToStream( SvStream& rOutStrm, sal_Size nBytes )
{
sal_Size nReadSize = ::std::min( nBytesLeft, nMaxBuffer );
nRet += Read( pnBuffer, nReadSize );
- rOutStrm.Write( pnBuffer, nReadSize );
+ // writing more bytes than read results in invalid memory access
+ SAL_WARN_IF(nRet != nReadSize, "sc", "read less bytes than requested");
+ rOutStrm.Write( pnBuffer, nRet );
nBytesLeft -= nReadSize;
}
diff --git a/sc/source/filter/xcl97/XclImpChangeTrack.cxx b/sc/source/filter/xcl97/XclImpChangeTrack.cxx
index 926c537b5aed..ecb8b6e58c8e 100644
--- a/sc/source/filter/xcl97/XclImpChangeTrack.cxx
+++ b/sc/source/filter/xcl97/XclImpChangeTrack.cxx
@@ -197,7 +197,18 @@ void XclImpChangeTrack::ReadFormula( ScTokenArray*& rpTokenArray, const ScAddres
// converter in each formula)
SvMemoryStream aMemStrm;
aMemStrm << (sal_uInt16) 0x0001 << nFmlSize;
- pStrm->CopyToStream( aMemStrm, nFmlSize );
+ size_t nRead = pStrm->CopyToStream( aMemStrm, nFmlSize );
+
+ // survive reading invalid streams!
+ // if we can't read as many bytes as required just don't use them and
+ // assume that this part is broken
+ if(nRead != nFmlSize)
+ {
+ rpTokenArray = NULL;
+ pStrm->Ignore(1);
+ return;
+ }
+
XclImpStream aFmlaStrm( aMemStrm, GetRoot() );
aFmlaStrm.StartNextRecord();
XclImpChTrFmlConverter aFmlConv( GetRoot(), *this );