diff options
author | Markus Mohrhard <markus.mohrhard@googlemail.com> | 2012-07-05 21:59:55 +0200 |
---|---|---|
committer | Markus Mohrhard <markus.mohrhard@googlemail.com> | 2012-07-05 22:56:32 +0200 |
commit | b45e528cb70d1f908b8ff6ec156ac1a816287075 (patch) | |
tree | b04f00cd571ee31da36ccf6a25d3a58582edf66a | |
parent | 3988c35c9635dfc38f6a2125e5664f60f164951b (diff) |
prevent invalid memory when loading change tracking from xls, fdo#45209
when loading broken xls files with change tracking we may crash because
of invalid memory access that results from loading to few bytes and then
using the originally created array
the patch changes it to check for the right amount of loaded bytes and
otherwise skips this change tracking record
Change-Id: I0795104284479368e26b8411336cee690abffd06
-rw-r--r-- | sc/source/filter/excel/xistream.cxx | 4 | ||||
-rw-r--r-- | sc/source/filter/xcl97/XclImpChangeTrack.cxx | 13 |
2 files changed, 15 insertions, 2 deletions
diff --git a/sc/source/filter/excel/xistream.cxx b/sc/source/filter/excel/xistream.cxx index 753839cada2b..8cd9980821ec 100644 --- a/sc/source/filter/excel/xistream.cxx +++ b/sc/source/filter/excel/xistream.cxx @@ -822,7 +822,9 @@ sal_Size XclImpStream::CopyToStream( SvStream& rOutStrm, sal_Size nBytes ) { sal_Size nReadSize = ::std::min( nBytesLeft, nMaxBuffer ); nRet += Read( pnBuffer, nReadSize ); - rOutStrm.Write( pnBuffer, nReadSize ); + // writing more bytes than read results in invalid memory access + SAL_WARN_IF(nRet != nReadSize, "sc", "read less bytes than requested"); + rOutStrm.Write( pnBuffer, nRet ); nBytesLeft -= nReadSize; } diff --git a/sc/source/filter/xcl97/XclImpChangeTrack.cxx b/sc/source/filter/xcl97/XclImpChangeTrack.cxx index 926c537b5aed..ecb8b6e58c8e 100644 --- a/sc/source/filter/xcl97/XclImpChangeTrack.cxx +++ b/sc/source/filter/xcl97/XclImpChangeTrack.cxx @@ -197,7 +197,18 @@ void XclImpChangeTrack::ReadFormula( ScTokenArray*& rpTokenArray, const ScAddres // converter in each formula) SvMemoryStream aMemStrm; aMemStrm << (sal_uInt16) 0x0001 << nFmlSize; - pStrm->CopyToStream( aMemStrm, nFmlSize ); + size_t nRead = pStrm->CopyToStream( aMemStrm, nFmlSize ); + + // survive reading invalid streams! + // if we can't read as many bytes as required just don't use them and + // assume that this part is broken + if(nRead != nFmlSize) + { + rpTokenArray = NULL; + pStrm->Ignore(1); + return; + } + XclImpStream aFmlaStrm( aMemStrm, GetRoot() ); aFmlaStrm.StartNextRecord(); XclImpChTrFmlConverter aFmlConv( GetRoot(), *this ); |