summaryrefslogtreecommitdiff
path: root/sw/source
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2018-10-27 19:45:34 +0100
committerMichael Stahl <Michael.Stahl@cib.de>2018-10-28 00:44:57 +0200
commit6253b1a29c8c1bcd7fd9efb07ca1a12fb0fc1746 (patch)
tree6142160592e23c791b7897e1ea5cdd8376cc465e /sw/source
parenta9558457643af2c978a86ce1c744886d983a162d (diff)
ofz#11125 pass param len around
Change-Id: I4b382271df21c58de0e102af6e0b07a88a1d9610 Reviewed-on: https://gerrit.libreoffice.org/62448 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
Diffstat (limited to 'sw/source')
-rw-r--r--sw/source/filter/ww8/ww8par.hxx2
-rw-r--r--sw/source/filter/ww8/ww8par2.cxx47
2 files changed, 38 insertions, 11 deletions
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 6ef295050919..b4fbecfef440 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1038,7 +1038,7 @@ struct WW8TabBandDesc
static void setcelldefaults(WW8_TCell *pCells, short nCells);
void ReadDef(bool bVer67, const sal_uInt8* pS, short nLen);
void ProcessDirection(const sal_uInt8* pParams);
- void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC);
+ void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC, sal_uInt16 nParamsLen);
void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen);
void ProcessSprmTDxaCol(const sal_uInt8* pParamsTDxaCol);
void ProcessSprmTDelete(const sal_uInt8* pParamsTDelete);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 89e3950c6717..91b2f6c3d733 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1224,11 +1224,17 @@ void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS, short nLen)
}
}
-void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC)
+void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC, sal_uInt16 nParamsLen)
{
if( !pParamsTSetBRC || !pTCs ) // set one or more cell border(s)
return;
+ if (nParamsLen < 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
+
sal_uInt8 nitcFirst= pParamsTSetBRC[0];// first col to be changed
sal_uInt8 nitcLim = pParamsTSetBRC[1];// (last col to be changed)+1
sal_uInt8 nFlag = *(pParamsTSetBRC+2);
@@ -1247,11 +1253,33 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
WW8_TCell* pCurrentTC = pTCs + nitcFirst;
WW8_BRCVer9 brcVer9;
if( nBrcVer == 6 )
+ {
+ if (nParamsLen < sizeof(WW8_BRCVer6) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = WW8_BRCVer9(WW8_BRC(*reinterpret_cast<WW8_BRCVer6 const *>(pParamsTSetBRC+3)));
+ }
else if( nBrcVer == 8 )
+ {
+ static_assert(sizeof (WW8_BRC) == 4, "this has to match the msword size");
+ if (nParamsLen < sizeof(WW8_BRC) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = WW8_BRCVer9(*reinterpret_cast<WW8_BRC const *>(pParamsTSetBRC+3));
+ }
else
+ {
+ if (nParamsLen < sizeof(WW8_BRCVer9) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = *reinterpret_cast<WW8_BRCVer9 const *>(pParamsTSetBRC+3);
+ }
for( int i = nitcFirst; i < nitcLim; ++i, ++pCurrentTC )
{
@@ -1264,7 +1292,6 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
if( bChangeRight )
pCurrentTC->rgbrc[ WW8_RIGHT ] = brcVer9;
}
-
}
void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen)
@@ -1782,7 +1809,8 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
sal_uInt16 nTableBordersLen = 0;
const sal_uInt8* pTableBorders90 = nullptr;
sal_uInt16 nTableBorders90Len = 0;
- std::vector<const sal_uInt8*> aTSetBrcs, aTSetBrc90s;
+ // params, len
+ std::vector<std::pair<const sal_uInt8*, sal_uInt16>> aTSetBrcs, aTSetBrc90s;
WW8_TablePos *pTabPos = nullptr;
// search end of a tab row
@@ -1885,10 +1913,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
}
break;
case sprmTSetBrc:
- aTSetBrcs.push_back(pParams); // process at end
+ aTSetBrcs.emplace_back(pParams, nLen); // process at end
break;
case sprmTSetBrc90:
- aTSetBrc90s.push_back(pParams); // process at end
+ aTSetBrc90s.emplace_back(pParams, nLen); // process at end
break;
case sprmTDxaCol:
pNewBand->ProcessSprmTDxaCol(pParams);
@@ -1936,11 +1964,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
else if (pTableBorders)
pNewBand->ProcessSprmTTableBorders(bOldVer ? 6 : 8,
pTableBorders, nTableBordersLen);
- std::vector<const sal_uInt8*>::const_iterator iter;
- for (iter = aTSetBrcs.begin(); iter != aTSetBrcs.end(); ++iter)
- pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, *iter);
- for (iter = aTSetBrc90s.begin(); iter != aTSetBrc90s.end(); ++iter)
- pNewBand->ProcessSprmTSetBRC(9, *iter);
+ for (const auto& a : aTSetBrcs)
+ pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, a.first, a.second);
+ for (const auto& a : aTSetBrc90s)
+ pNewBand->ProcessSprmTSetBRC(9, a.first, a.second);
}
if( nTabeDxaNew < SHRT_MAX )