diff options
author | Caolán McNamara <caolanm@redhat.com> | 2021-01-18 16:19:10 +0000 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2021-01-20 16:20:25 +0100 |
commit | 4e639c37b4dcdc27d46111d0d0cbca966544c2cb (patch) | |
tree | e2ba04b8df148d863a2c2ab6a4410f297aed47b9 /sw/source/filter/html/htmlreqifreader.cxx | |
parent | ab85732e1c6a1b52cf95fd9fb50b9ccb7cac2137 (diff) |
ofz#29691 revert throw SvStreamEOFException
reasonably sane code like
s.ReadUInt32(a).ReadUInt32(b).ReadUInt32(c).ReadUInt32(d);
if (s.good())
// use a, b, c d;
stopped working.
FWIW on a short read we retain whatever was in the variable before the
read, rather than overwrite it with new random data, so
sal_uInt32 a(0xdead); s.ReadUInt32(a); assert(s.good() || a == 0xdead);
the msoffice ppt/escher/xls/doc filters especially speculatively parse
and rely on a variables preinit value in the case of a short read.
commit b345a2bab0d6f981049951a86b172ce49ce7d4c2
cid#1470786 Uncaught exception
commit 71aec4726a94dcde1169fd293dbecfeb0e840e6d
ofz#29528 uncaught exception
commit bed03603f6cae264abb9e5b58aa2ab00448d92ff
ofz#29414 uncaught exception
commit 684885a99a1eb7ad943e9736166d4bb1468663be
ofz#29443 uncaught exception
commit 93574ac7768d247ed754ecda322e54e4bd447e43
ofz#29251 Abrt
commit 413db68d95bd39d34e6a6b81a7c5c9478ced0514
ofz#29152 short read
commit f400e883044143f999c460375a293647b4a57244
ofz#29151 short read
commit 96ea80a725dfe4ef38993f78917c243f13e3beb5
ofz#29129 Abrt on uncaught exception
commit 646a635efe6eecbc3d1dd3a7cbb02a278c6f3be5
ofz#28931 Indirect-leak
commit b0e573f18629d28fe3179c12d0d434653f92fc93
ofz#29030 Abrt in xlsfuzzer
commit 95407c39168d186ee44e67b1a6a4bcf592c58b84
ofz#28902 uncaught exception
commit 45175d655ad3773df1c006182108cf25e87b1091
oss-fuzz: tgafuzzer doesn't pass sanity check
commit b82fc702bae9d6190bda1b4818a47cfa197df6d8
oss-fuzz: psdfuzzer doesn't pass sanity check
commit e7c76d604a4694e6568bf10c2a06a786f1096319
oss-fuzz: epsfuzzer doesn't pass sanity check
commit 901e5e7c9170184e286ea3e46fce406136aa9572
oss-fuzz: xlsfuzzer doesn't pass sanity check
commit 127bfab61c297df06fd8e71e709bc4362cb89d21
oss-fuzz: pngfuzzer doesn't pass sanity check
commit 77387ae00ae27e3f8bcdf7bccf97fb2db8f196b7
oss-fuzz: mtpfuzzer doesn't pass sanity check
commit 974ffa79b0fef4ca76558bb8b16bce84af3aaf6c
oss-fuzz: xlsxfuzzer doesn't pass sanity check
commit 6d6d104cbb382d0045e1f04b12d268992fa5c624
oss-fuzz: bmpfuzzer doesn't pass sanity check
commit a7d1d107ec58d3b00b4019c89edddcff71ca6ff3
oss-fuzz: qpwfuzzer doesn't pass sanity check
commit 898993aa62276f59480df8af1da4bad530829b56
oss-fuzz: pcxfuzzer doesn't pass sanity check
throw/catch parts of
commit 8c9a4ff511a3b1d84a7a6d08a1b153c07f164abb
throw exception in SvStream when reading past end of file
Change-Id: Ic49c249768b17b64d8e868655dbc05b31906c2e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109621
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sw/source/filter/html/htmlreqifreader.cxx')
-rw-r--r-- | sw/source/filter/html/htmlreqifreader.cxx | 89 |
1 files changed, 41 insertions, 48 deletions
diff --git a/sw/source/filter/html/htmlreqifreader.cxx b/sw/source/filter/html/htmlreqifreader.cxx index 09ba240c13ff..d656f51bc0cb 100644 --- a/sw/source/filter/html/htmlreqifreader.cxx +++ b/sw/source/filter/html/htmlreqifreader.cxx @@ -99,56 +99,49 @@ bool ParseOLE2Presentation(SvStream& rOle2, sal_uInt32& nWidth, sal_uInt32& nHei { // See [MS-OLEDS] 2.3.4, OLEPresentationStream rOle2.Seek(0); - try - { - tools::SvRef<SotStorage> pStorage = new SotStorage(rOle2); - tools::SvRef<SotStorageStream> xOle2Presentation - = pStorage->OpenSotStream("\002OlePres000", StreamMode::STD_READ); - - // Read AnsiClipboardFormat. - sal_uInt32 nMarkerOrLength = 0; - xOle2Presentation->ReadUInt32(nMarkerOrLength); - if (nMarkerOrLength != 0xffffffff) - // FormatOrAnsiString is not present - return false; - sal_uInt32 nFormatOrAnsiLength = 0; - xOle2Presentation->ReadUInt32(nFormatOrAnsiLength); - if (nFormatOrAnsiLength != 0x00000003) // CF_METAFILEPICT - return false; - - // Read TargetDeviceSize. - sal_uInt32 nTargetDeviceSize = 0; - xOle2Presentation->ReadUInt32(nTargetDeviceSize); - if (nTargetDeviceSize != 0x00000004) - // TargetDevice is present - return false; - - sal_uInt32 nAspect = 0; - xOle2Presentation->ReadUInt32(nAspect); - sal_uInt32 nLindex = 0; - xOle2Presentation->ReadUInt32(nLindex); - sal_uInt32 nAdvf = 0; - xOle2Presentation->ReadUInt32(nAdvf); - sal_uInt32 nReserved1 = 0; - xOle2Presentation->ReadUInt32(nReserved1); - xOle2Presentation->ReadUInt32(nWidth); - xOle2Presentation->ReadUInt32(nHeight); - sal_uInt32 nSize = 0; - xOle2Presentation->ReadUInt32(nSize); - - // Read Data. - if (nSize > xOle2Presentation->remainingSize()) - return false; - std::vector<char> aBuffer(nSize); - xOle2Presentation->ReadBytes(aBuffer.data(), aBuffer.size()); - rPresentationData.WriteBytes(aBuffer.data(), aBuffer.size()); + tools::SvRef<SotStorage> pStorage = new SotStorage(rOle2); + tools::SvRef<SotStorageStream> xOle2Presentation + = pStorage->OpenSotStream("\002OlePres000", StreamMode::STD_READ); + + // Read AnsiClipboardFormat. + sal_uInt32 nMarkerOrLength = 0; + xOle2Presentation->ReadUInt32(nMarkerOrLength); + if (nMarkerOrLength != 0xffffffff) + // FormatOrAnsiString is not present + return false; + sal_uInt32 nFormatOrAnsiLength = 0; + xOle2Presentation->ReadUInt32(nFormatOrAnsiLength); + if (nFormatOrAnsiLength != 0x00000003) // CF_METAFILEPICT + return false; - return true; - } - catch (SvStreamEOFException&) - { + // Read TargetDeviceSize. + sal_uInt32 nTargetDeviceSize = 0; + xOle2Presentation->ReadUInt32(nTargetDeviceSize); + if (nTargetDeviceSize != 0x00000004) + // TargetDevice is present return false; - } + + sal_uInt32 nAspect = 0; + xOle2Presentation->ReadUInt32(nAspect); + sal_uInt32 nLindex = 0; + xOle2Presentation->ReadUInt32(nLindex); + sal_uInt32 nAdvf = 0; + xOle2Presentation->ReadUInt32(nAdvf); + sal_uInt32 nReserved1 = 0; + xOle2Presentation->ReadUInt32(nReserved1); + xOle2Presentation->ReadUInt32(nWidth); + xOle2Presentation->ReadUInt32(nHeight); + sal_uInt32 nSize = 0; + xOle2Presentation->ReadUInt32(nSize); + + // Read Data. + if (nSize > xOle2Presentation->remainingSize()) + return false; + std::vector<char> aBuffer(nSize); + xOle2Presentation->ReadBytes(aBuffer.data(), aBuffer.size()); + rPresentationData.WriteBytes(aBuffer.data(), aBuffer.size()); + + return true; } /** |