limit seeks to valid area

(cherry picked from commit c0c9075163f06c0b5c2ad9cf428f1cfacf9fe1fb)

Change-Id: I401d93491999a3fc3db4f597eea9c4fe5b9bc926
Reviewed-on: https://gerrit.libreoffice.org/17955
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>

2 files changed, 4 insertions, 5 deletions

diff --git a/sw/qa/core/data/ww5/pass/hang-2.doc b/sw/qa/core/data/ww5/pass/hang-2.doc
new file mode 100644
index 000000000000..5f76093f952e
--- /dev/null
+++ b/sw/qa/core/data/ww5/pass/hang-2.doc
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 1dbf102e8834..c227c12d0803 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -6726,9 +6726,8 @@ WW8Dop::WW8Dop(SvStream& rSt, sal_Int16 nFib, sal_Int32 nPos, sal_uInt32 nSize)
     sal_uInt8* pData = pDataPtr;
 
     sal_uInt32 nRead = nMaxDopSize < nSize ? nMaxDopSize : nSize;
-    rSt.Seek( nPos );
-    if (2 > nSize || nRead != rSt.Read(pData, nRead))
-        nDopError = ERR_SWG_READ_ERROR;     // Error melden
+    if (nSize < 2 || !checkSeek(rSt, nPos) || nRead != rSt.Read(pData, nRead))
+        nDopError = ERR_SWG_READ_ERROR;     // report error
     else
     {
         if (nMaxDopSize > nRead)
@@ -7575,8 +7574,8 @@ SEPr::SEPr() :
 
 bool checkSeek(SvStream &rSt, sal_uInt32 nOffset)
 {
-    return (nOffset != SAL_MAX_UINT32 &&
-            rSt.Seek(nOffset) == static_cast<sal_Size>(nOffset));
+    const sal_uInt64 nMaxSeek(rSt.Tell() + rSt.remainingSize());
+    return (nOffset <= nMaxSeek && rSt.Seek(nOffset) == nOffset);
 }
 
 bool checkRead(SvStream &rSt, void *pDest, sal_uInt32 nLength)