CID#736212 clip word 2 pap bounds

and add a unit test for the word 2..5 formats

Change-Id: I6c7c26be6092acbb81282080de6c393d92ad5dd4
(cherry picked from commit 5d8a9d56de7c1217cfdbe2288c1a3a9128c3dbb5)
Reviewed-on: https://gerrit.libreoffice.org/5908
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Michael Stahl <mstahl@redhat.com>

1 files changed, 9 insertions, 1 deletions

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 2c150cf7fd6d..36f7ceb0c415 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -2496,7 +2496,15 @@ WW8PLCFx_Fc_FKP::WW8Fkp::WW8Fkp(ww::WordVersion eVersion, SvStream* pSt,
                                 {
                                     aEntry.mnLen-=6; //PHE
                                     //skipi stc, len byte + 6 byte PHE
-                                    aEntry.mpData = maRawData + nOfs + 8;
+                                    unsigned int nOffset = nOfs + 8;
+                                    if (nOffset >= 511) //Bad offset
+                                        aEntry.mnLen=0;
+                                    if (aEntry.mnLen)   //start is ok
+                                    {
+                                        if (nOffset + aEntry.mnLen > 512)   //Bad end, clip
+                                            aEntry.mnLen = 512 - nOffset;
+                                        aEntry.mpData = maRawData + nOffset;
+                                    }
                                 }
                                 else
                                     aEntry.mnLen=0; //Too short