sd-ppt-fix-document-summary-reading.diff: crasher fix (bnc#546758)

fix problem in ppt reading causing crash or memory saturation
author: Radek Doulik <rodo@novell.com> 2011-04-29 16:51:52 +0200
committer: Petr Mladek <pmladek@suse.cz> 2011-04-29 16:51:52 +0200
commit: 53836fb680ebd6a57fd0036a9d11045f2c2b1b77 (patch)
tree: 6e732dc500122f6b609f8f47ea24a436681f6999 /sd/source/filter/ppt/propread.cxx
parent: 8b964297244b251f4acbe7f966a1594e05644ebc (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index 150acf381c4d..2710be58837c 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -504,7 +504,9 @@ void Section::Read( SvStorageStream *pStrm )
 
                     case VT_LPWSTR :
                         *pStrm >> nTemp;
-                        nPropSize += ( nTemp << 1 ) + 4;
+                        // looks like these are aligned to 4 bytes
+                        sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4;
+                        nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4);
                     break;
 
                     case VT_BLOB_OBJECT :
@@ -540,6 +542,9 @@ void Section::Read( SvStorageStream *pStrm )
                     break;
                 }
                 pStrm->Seek( nPropOfs + nSecOfs );
+                // make sure we don't overflow the section size
+                if( nPropSize > nSecSize - nSecOfs )
+                    nPropSize = nSecSize - nSecOfs;
                 sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
                 pStrm->Read( pBuf, nPropSize );
                 AddProperty( nPropId, pBuf, nPropSize );
author	Radek Doulik <rodo@novell.com>	2011-04-29 16:51:52 +0200
committer	Petr Mladek <pmladek@suse.cz>	2011-04-29 16:51:52 +0200
commit	53836fb680ebd6a57fd0036a9d11045f2c2b1b77 (patch)
tree	6e732dc500122f6b609f8f47ea24a436681f6999 /sd/source/filter/ppt/propread.cxx
parent	8b964297244b251f4acbe7f966a1594e05644ebc (diff)