summaryrefslogtreecommitdiff
path: root/sw/source
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2018-10-27 19:45:34 +0100
committerAndras Timar <andras.timar@collabora.com>2019-08-22 13:44:34 +0200
commit21dc07d365e85d64621468e79a29aa8a481c115a (patch)
tree77737d4bf420bc8a6c51d645ae9041722274d517 /sw/source
parent527a9ac2a8d5322642d7e493505a922810a53add (diff)
ofz#11125 pass param len around
Change-Id: I4b382271df21c58de0e102af6e0b07a88a1d9610 Reviewed-on: https://gerrit.libreoffice.org/62448 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> (cherry picked from commit 6253b1a29c8c1bcd7fd9efb07ca1a12fb0fc1746)
Diffstat (limited to 'sw/source')
-rw-r--r--sw/source/filter/ww8/ww8par.hxx2
-rw-r--r--sw/source/filter/ww8/ww8par2.cxx47
2 files changed, 38 insertions, 11 deletions
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index c0a4b44c4c93..b2db0fe83b44 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1033,7 +1033,7 @@ struct WW8TabBandDesc
static void setcelldefaults(WW8_TCell *pCells, short nCells);
void ReadDef(bool bVer67, const sal_uInt8* pS, short nLen);
void ProcessDirection(const sal_uInt8* pParams);
- void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC);
+ void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC, sal_uInt16 nParamsLen);
void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen);
void ProcessSprmTDxaCol(const sal_uInt8* pParamsTDxaCol);
void ProcessSprmTDelete(const sal_uInt8* pParamsTDelete);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 1ab43e948b90..2bb1a638bc2c 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1360,11 +1360,17 @@ void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS, short nLen)
}
}
-void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC)
+void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC, sal_uInt16 nParamsLen)
{
if( !pParamsTSetBRC || !pTCs ) // set one or more cell border(s)
return;
+ if (nParamsLen < 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
+
sal_uInt8 nitcFirst= pParamsTSetBRC[0];// first col to be changed
sal_uInt8 nitcLim = pParamsTSetBRC[1];// (last col to be changed)+1
sal_uInt8 nFlag = *(pParamsTSetBRC+2);
@@ -1383,11 +1389,33 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
WW8_TCell* pAktTC = pTCs + nitcFirst;
WW8_BRCVer9 brcVer9;
if( nBrcVer == 6 )
+ {
+ if (nParamsLen < sizeof(WW8_BRCVer6) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = WW8_BRCVer9(WW8_BRC(*reinterpret_cast<WW8_BRCVer6 const *>(pParamsTSetBRC+3)));
+ }
else if( nBrcVer == 8 )
+ {
+ static_assert(sizeof (WW8_BRC) == 4, "this has to match the msword size");
+ if (nParamsLen < sizeof(WW8_BRC) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = WW8_BRCVer9(*reinterpret_cast<WW8_BRC const *>(pParamsTSetBRC+3));
+ }
else
+ {
+ if (nParamsLen < sizeof(WW8_BRCVer9) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = *reinterpret_cast<WW8_BRCVer9 const *>(pParamsTSetBRC+3);
+ }
for( int i = nitcFirst; i < nitcLim; ++i, ++pAktTC )
{
@@ -1400,7 +1428,6 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
if( bChangeRight )
pAktTC->rgbrc[ WW8_RIGHT ] = brcVer9;
}
-
}
void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen)
@@ -1920,7 +1947,8 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
sal_uInt16 nTableBordersLen = 0;
const sal_uInt8* pTableBorders90 = nullptr;
sal_uInt16 nTableBorders90Len = 0;
- std::vector<const sal_uInt8*> aTSetBrcs, aTSetBrc90s;
+ // params, len
+ std::vector<std::pair<const sal_uInt8*, sal_uInt16>> aTSetBrcs, aTSetBrc90s;
WW8_TablePos *pTabPos = nullptr;
// search end of a tab row
@@ -2023,10 +2051,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
}
break;
case sprmTSetBrc:
- aTSetBrcs.push_back(pParams); // process at end
+ aTSetBrcs.emplace_back(pParams, nLen); // process at end
break;
case sprmTSetBrc90:
- aTSetBrc90s.push_back(pParams); // process at end
+ aTSetBrc90s.emplace_back(pParams, nLen); // process at end
break;
case sprmTDxaCol:
pNewBand->ProcessSprmTDxaCol(pParams);
@@ -2074,11 +2102,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
else if (pTableBorders)
pNewBand->ProcessSprmTTableBorders(bOldVer ? 6 : 8,
pTableBorders, nTableBordersLen);
- std::vector<const sal_uInt8*>::const_iterator iter;
- for (iter = aTSetBrcs.begin(); iter != aTSetBrcs.end(); ++iter)
- pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, *iter);
- for (iter = aTSetBrc90s.begin(); iter != aTSetBrc90s.end(); ++iter)
- pNewBand->ProcessSprmTSetBRC(9, *iter);
+ for (const auto& a : aTSetBrcs)
+ pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, a.first, a.second);
+ for (const auto& a : aTSetBrc90s)
+ pNewBand->ProcessSprmTSetBRC(9, a.first, a.second);
}
if( nTabeDxaNew < SHRT_MAX )