diff options
author | Caolán McNamara <caolanm@redhat.com> | 2020-08-28 20:08:00 +0100 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2020-08-28 22:01:51 +0200 |
commit | 7a8952726c14a268fac04e0163dca83f2ba8d604 (patch) | |
tree | d219e132fee60b5aa5617d78510a76cefd5f56f4 /oox/source/crypto/DocumentDecryption.cxx | |
parent | e08b4144d9d0f0b05ef0f1c51c111d5a56e616a5 (diff) |
ofz#24770 oom
Change-Id: I0ccae77753fa9a1efb9cb405920f8ee8ffe9fbb2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/101565
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'oox/source/crypto/DocumentDecryption.cxx')
-rw-r--r-- | oox/source/crypto/DocumentDecryption.cxx | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/oox/source/crypto/DocumentDecryption.cxx b/oox/source/crypto/DocumentDecryption.cxx index c566426267ff..feec8de10691 100644 --- a/oox/source/crypto/DocumentDecryption.cxx +++ b/oox/source/crypto/DocumentDecryption.cxx @@ -110,6 +110,8 @@ bool DocumentDecryption::readEncryptionInfo() if (xDataSpaceMap.is()) { + bool bBroken = false; + BinaryXInputStream aDataSpaceStream(xDataSpaceMap, true); sal_uInt32 aHeaderLength = aDataSpaceStream.readuInt32(); SAL_WARN_IF(aHeaderLength != 8, "oox", "DataSpaceMap length != 8 is not supported. Some content may be skipped"); @@ -117,30 +119,44 @@ bool DocumentDecryption::readEncryptionInfo() SAL_WARN_IF(aEntryCount != 1, "oox", "DataSpaceMap contains more than one entry. Some content may be skipped"); // Read each DataSpaceMapEntry (MS-OFFCRYPTO 2.1.6.1) - for (sal_uInt32 i = 0; i < aEntryCount && !aDataSpaceStream.isEof(); i++) + for (sal_uInt32 i = 0; i < aEntryCount && !bBroken; i++) { // entryLen unused for the moment aDataSpaceStream.skip(sizeof(sal_uInt32)); // Read each DataSpaceReferenceComponent (MS-OFFCRYPTO 2.1.6.2) sal_uInt32 aReferenceComponentCount = aDataSpaceStream.readuInt32(); - for (sal_uInt32 j = 0; j < aReferenceComponentCount && !aDataSpaceStream.isEof(); j++) + for (sal_uInt32 j = 0; j < aReferenceComponentCount && !bBroken; j++) { // Read next reference component // refComponentType unused for the moment aDataSpaceStream.skip(sizeof(sal_uInt32)); sal_uInt32 aReferenceComponentNameLength = aDataSpaceStream.readuInt32(); // sReferenceComponentName unused for the moment + if (aDataSpaceStream.getRemaining() < aReferenceComponentNameLength) + { + bBroken = true; + break; + } aDataSpaceStream.readUnicodeArray(aReferenceComponentNameLength / 2); aDataSpaceStream.skip((4 - (aReferenceComponentNameLength & 3)) & 3); // Skip padding + + bBroken |= aDataSpaceStream.isEof(); } sal_uInt32 aDataSpaceNameLength = aDataSpaceStream.readuInt32(); + if (aDataSpaceStream.getRemaining() < aDataSpaceNameLength) + { + bBroken = true; + break; + } sDataSpaceName = aDataSpaceStream.readUnicodeArray(aDataSpaceNameLength / 2); aDataSpaceStream.skip((4 - (aDataSpaceNameLength & 3)) & 3); // Skip padding + + bBroken |= aDataSpaceStream.isEof(); } - if (aDataSpaceStream.isEof()) + if (bBroken) { SAL_WARN("oox", "EOF on parsing DataSpaceMapEntry table"); return false; |