ofz#29691 revert throw SvStreamEOFException

reasonably sane code like s.ReadUInt32(a).ReadUInt32(b).ReadUInt32(c).ReadUInt32(d); if (s.good()) // use a, b, c d; stopped working. FWIW on a short read we retain whatever was in the variable before the read, rather than overwrite it with new random data, so sal_uInt32 a(0xdead); s.ReadUInt32(a); assert(s.good() || a == 0xdead); the msoffice ppt/escher/xls/doc filters especially speculatively parse and rely on a variables preinit value in the case of a short read. commit b345a2bab0d6f981049951a86b172ce49ce7d4c2 cid#1470786 Uncaught exception commit 71aec4726a94dcde1169fd293dbecfeb0e840e6d ofz#29528 uncaught exception commit bed03603f6cae264abb9e5b58aa2ab00448d92ff ofz#29414 uncaught exception commit 684885a99a1eb7ad943e9736166d4bb1468663be ofz#29443 uncaught exception commit 93574ac7768d247ed754ecda322e54e4bd447e43 ofz#29251 Abrt commit 413db68d95bd39d34e6a6b81a7c5c9478ced0514 ofz#29152 short read commit f400e883044143f999c460375a293647b4a57244 ofz#29151 short read commit 96ea80a725dfe4ef38993f78917c243f13e3beb5 ofz#29129 Abrt on uncaught exception commit 646a635efe6eecbc3d1dd3a7cbb02a278c6f3be5 ofz#28931 Indirect-leak commit b0e573f18629d28fe3179c12d0d434653f92fc93 ofz#29030 Abrt in xlsfuzzer commit 95407c39168d186ee44e67b1a6a4bcf592c58b84 ofz#28902 uncaught exception commit 45175d655ad3773df1c006182108cf25e87b1091 oss-fuzz: tgafuzzer doesn't pass sanity check commit b82fc702bae9d6190bda1b4818a47cfa197df6d8 oss-fuzz: psdfuzzer doesn't pass sanity check commit e7c76d604a4694e6568bf10c2a06a786f1096319 oss-fuzz: epsfuzzer doesn't pass sanity check commit 901e5e7c9170184e286ea3e46fce406136aa9572 oss-fuzz: xlsfuzzer doesn't pass sanity check commit 127bfab61c297df06fd8e71e709bc4362cb89d21 oss-fuzz: pngfuzzer doesn't pass sanity check commit 77387ae00ae27e3f8bcdf7bccf97fb2db8f196b7 oss-fuzz: mtpfuzzer doesn't pass sanity check commit 974ffa79b0fef4ca76558bb8b16bce84af3aaf6c oss-fuzz: xlsxfuzzer doesn't pass sanity check commit 6d6d104cbb382d0045e1f04b12d268992fa5c624 oss-fuzz: bmpfuzzer doesn't pass sanity check commit a7d1d107ec58d3b00b4019c89edddcff71ca6ff3 oss-fuzz: qpwfuzzer doesn't pass sanity check commit 898993aa62276f59480df8af1da4bad530829b56 oss-fuzz: pcxfuzzer doesn't pass sanity check throw/catch parts of commit 8c9a4ff511a3b1d84a7a6d08a1b153c07f164abb throw exception in SvStream when reading past end of file Change-Id: Ic49c249768b17b64d8e868655dbc05b31906c2e6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109621 Tested-by: Jenkins Tested-by: Caolán McNamara <caolanm@redhat.com> Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk> Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2021-01-18 16:19:10 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2021-01-20 16:20:25 +0100
commit: 4e639c37b4dcdc27d46111d0d0cbca966544c2cb (patch)
tree: e2ba04b8df148d863a2c2ab6a4410f297aed47b9 /sfx2/source/doc/oleprops.cxx
parent: ab85732e1c6a1b52cf95fd9fb50b9ccb7cac2137 (diff)
1 files changed, 33 insertions, 41 deletions
diff --git a/sfx2/source/doc/oleprops.cxx b/sfx2/source/doc/oleprops.cxx
index a9e2b9b8a874..ee1927522e05 100644
--- a/sfx2/source/doc/oleprops.cxx
+++ b/sfx2/source/doc/oleprops.cxx
@@ -941,13 +941,12 @@ void SfxOleSection::ImplLoad( SvStream& rStrm )
     mnStartPos = rStrm.Tell();
     sal_uInt32 nSize(0);
     sal_Int32 nPropCount(0);
-    if (rStrm.remainingSize() >= 8)
-        rStrm.ReadUInt32( nSize ).ReadInt32( nPropCount );
+    rStrm.ReadUInt32( nSize ).ReadInt32( nPropCount );
 
     // read property ID/position pairs
     typedef ::std::map< sal_Int32, sal_uInt32 > SfxOlePropPosMap;
     SfxOlePropPosMap aPropPosMap;
-    for (sal_Int32 nPropIdx = 0; nPropIdx < nPropCount && rStrm.good() && rStrm.remainingSize() >= 8; ++nPropIdx)
+    for (sal_Int32 nPropIdx = 0; nPropIdx < nPropCount && rStrm.good(); ++nPropIdx)
     {
         sal_Int32 nPropId(0);
         sal_uInt32 nPropPos(0);
@@ -957,7 +956,7 @@ void SfxOleSection::ImplLoad( SvStream& rStrm )
 
     // read codepage property
     SfxOlePropPosMap::iterator aCodePageIt = aPropPosMap.find( PROPID_CODEPAGE );
-    if( (aCodePageIt != aPropPosMap.end()) && SeekToPropertyPos(rStrm, aCodePageIt->second) && rStrm.remainingSize() >= 4)
+    if( (aCodePageIt != aPropPosMap.end()) && SeekToPropertyPos( rStrm, aCodePageIt->second ) )
     {
         // codepage property must be of type signed int-16
         sal_Int32 nPropType(0);
@@ -973,7 +972,7 @@ void SfxOleSection::ImplLoad( SvStream& rStrm )
     if( (aDictIt != aPropPosMap.end()) && SeekToPropertyPos( rStrm, aDictIt->second ) )
     {
         // #i66214# #i66428# applications may write broken dictionary properties in wrong sections
-        if (mbSupportsDict && rStrm.remainingSize() >= 4)
+        if( mbSupportsDict )
         {
             // dictionary property contains number of pairs in property type field
             sal_Int32 nNameCount(0);
@@ -1155,43 +1154,36 @@ SfxOleSection& SfxOlePropertySet::AddSection( const SvGlobalName& rSectionGuid )
 
 void SfxOlePropertySet::ImplLoad( SvStream& rStrm )
 {
-    try
-    {
-        // read property set header
-        sal_uInt16 nByteOrder;
-        sal_uInt16 nVersion;
-        sal_uInt16 nOsMinor;
-        sal_uInt16 nOsType;
-        SvGlobalName aGuid;
-        sal_Int32 nSectCount(0);
-        rStrm.ReadUInt16( nByteOrder ).ReadUInt16( nVersion ).ReadUInt16( nOsMinor ).ReadUInt16( nOsType );
-        rStrm >> aGuid;
-        rStrm.ReadInt32( nSectCount );
-
-        // read sections
-        sal_uInt64 nSectPosPos = rStrm.Tell();
-        for (sal_Int32 nSectIdx = 0; nSectIdx < nSectCount; ++nSectIdx)
-        {
-            // read section guid/position pair
-            rStrm.Seek(nSectPosPos);
-            SvGlobalName aSectGuid;
-            rStrm >> aSectGuid;
-            sal_uInt32 nSectPos(0);
-            rStrm.ReadUInt32(nSectPos);
-            if (!rStrm.good())
-                break;
-            nSectPosPos = rStrm.Tell();
-            // read section
-            if (!checkSeek(rStrm, nSectPos))
-                break;
-            LoadObject(rStrm, AddSection(aSectGuid));
-            if (!rStrm.good())
-                break;
-        }
-    }
-    catch (const SvStreamEOFException&)
+    // read property set header
+    sal_uInt16 nByteOrder;
+    sal_uInt16 nVersion;
+    sal_uInt16 nOsMinor;
+    sal_uInt16 nOsType;
+    SvGlobalName aGuid;
+    sal_Int32 nSectCount(0);
+    rStrm.ReadUInt16( nByteOrder ).ReadUInt16( nVersion ).ReadUInt16( nOsMinor ).ReadUInt16( nOsType );
+    rStrm >> aGuid;
+    rStrm.ReadInt32( nSectCount );
+
+    // read sections
+    sal_uInt64 nSectPosPos = rStrm.Tell();
+    for (sal_Int32 nSectIdx = 0; nSectIdx < nSectCount; ++nSectIdx)
     {
-        rStrm.SetError(SVSTREAM_READ_ERROR);
+        // read section guid/position pair
+        rStrm.Seek(nSectPosPos);
+        SvGlobalName aSectGuid;
+        rStrm >> aSectGuid;
+        sal_uInt32 nSectPos(0);
+        rStrm.ReadUInt32(nSectPos);
+        if (!rStrm.good())
+            break;
+        nSectPosPos = rStrm.Tell();
+        // read section
+        if (!checkSeek(rStrm, nSectPos))
+            break;
+        LoadObject(rStrm, AddSection(aSectGuid));
+        if (!rStrm.good())
+            break;
     }
 }
author	Caolán McNamara <caolanm@redhat.com>	2021-01-18 16:19:10 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2021-01-20 16:20:25 +0100
commit	4e639c37b4dcdc27d46111d0d0cbca966544c2cb (patch)
tree	e2ba04b8df148d863a2c2ab6a4410f297aed47b9 /sfx2/source/doc/oleprops.cxx
parent	ab85732e1c6a1b52cf95fd9fb50b9ccb7cac2137 (diff)