From 220a2bd6b3b12b76e4c790a73f731686377ddefc Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Mon, 3 Apr 2017 20:36:06 +0100 Subject: ofz: check anlv text bounds Change-Id: I6288aae2d439cde6a2b95c005a2090f73e21bb7a (cherry picked from commit 3feabd87ad8066b45b55d61cd72684e47fd79082) Reviewed-on: https://gerrit.libreoffice.org/36052 Tested-by: Jenkins Reviewed-by: Michael Stahl (cherry picked from commit 18690fd4b7fdb3244cbc3dd4e711a9230bcef00e) (cherry picked from commit ab81b03391db0489c21c2bd063cbe42e534b87c4) --- sw/source/filter/ww8/ww8par.hxx | 2 +- sw/source/filter/ww8/ww8par2.cxx | 29 ++++++++++++++++++++++++----- sw/source/filter/ww8/ww8struc.hxx | 2 +- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx index e2c7e38424ca..a31bab2234c8 100644 --- a/sw/source/filter/ww8/ww8par.hxx +++ b/sw/source/filter/ww8/ww8par.hxx @@ -1562,7 +1562,7 @@ private: // die Strukturen hierfuer sind: LSTF, LVLF, LFO LFOLVL void SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV, const sal_uInt8* pText, - bool bOutline); + size_t nStart, size_t nElements, bool bOutline); void SetAnld(SwNumRule* pNumR, WW8_ANLD const * pAD, sal_uInt8 nSwLevel, bool bOutLine); void SetNumOlst( SwNumRule* pNumR, WW8_OLST* pO, sal_uInt8 nSwLevel ); SwNumRule* GetStyRule(); diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx index 66baa458910c..c1e3ab02e2fd 100644 --- a/sw/source/filter/ww8/ww8par2.cxx +++ b/sw/source/filter/ww8/ww8par2.cxx @@ -633,8 +633,14 @@ static void SetBaseAnlv(SwNumFormat &rNum, WW8_ANLV const &rAV, sal_uInt8 nSwLev } void SwWW8ImplReader::SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV, - const sal_uInt8* pText, bool bOutline) + const sal_uInt8* pText, size_t nStart, size_t nElements, bool bOutline) { + if (nStart > nElements) + return; + + pText += nStart; + nElements -= nStart; + bool bInsert = false; // Default rtl_TextEncoding eCharSet = m_eStructCharSet; @@ -642,13 +648,26 @@ void SwWW8ImplReader::SetAnlvStrings(SwNumFormat &rNum, WW8_ANLV const &rAV, bool bListSymbol = pF && ( pF->chs == 2 ); // Symbol/WingDings/... OUString sText; + sal_uInt32 nLen = rAV.cbTextBefore + rAV.cbTextAfter; if (m_bVer67) { - sText = OUString(reinterpret_cast(pText), rAV.cbTextBefore + rAV.cbTextAfter, eCharSet); + if (nLen > nElements) + { + SAL_WARN("sw.ww8", "SetAnlvStrings: ignoring out of range " + << nLen << " vs " << nElements << " max"); + return; + } + sText = OUString(reinterpret_cast(pText), nLen, eCharSet); } else { - for(sal_Int32 i = 0; i < rAV.cbTextBefore + rAV.cbTextAfter; ++i, pText += 2) + if (nLen > nElements / 2) + { + SAL_WARN("sw.ww8", "SetAnlvStrings: ignoring out of range " + << nLen << " vs " << nElements / 2 << " max"); + return; + } + for(sal_uInt32 i = 0; i < nLen; ++i, pText += 2) { sText += OUString(SVBT16ToShort(*reinterpret_cast(pText))); } @@ -733,7 +752,7 @@ void SwWW8ImplReader::SetAnld(SwNumRule* pNumR, WW8_ANLD const * pAD, sal_uInt8 m_bAktAND_fNumberAcross = 0 != pAD->fNumberAcross; WW8_ANLV const &rAV = pAD->eAnlv; SetBaseAnlv(aNF, rAV, nSwLevel); // set the base format - SetAnlvStrings(aNF, rAV, pAD->rgchAnld, bOutLine ); // set the rest + SetAnlvStrings(aNF, rAV, pAD->rgchAnld, 0, SAL_N_ELEMENTS(pAD->rgchAnld), bOutLine); // set the rest } pNumR->Set(nSwLevel, aNF); } @@ -863,7 +882,7 @@ void SwWW8ImplReader::SetNumOlst(SwNumRule* pNumR, WW8_OLST* pO, sal_uInt8 nSwLe if (!m_bVer67) nTextOfs *= 2; - SetAnlvStrings(aNF, rAV, pO->rgch + nTextOfs, true); // and apply + SetAnlvStrings(aNF, rAV, pO->rgch, nTextOfs, SAL_N_ELEMENTS(pO->rgch), true); // and apply pNumR->Set(nSwLevel, aNF); } diff --git a/sw/source/filter/ww8/ww8struc.hxx b/sw/source/filter/ww8/ww8struc.hxx index 08d80c77558b..e0d483728fc0 100644 --- a/sw/source/filter/ww8/ww8struc.hxx +++ b/sw/source/filter/ww8/ww8struc.hxx @@ -671,7 +671,7 @@ struct WW8_ANLD sal_uInt8 fNumberAcross; // 0x11 number across cells in table rows(instead of down) sal_uInt8 fRestartHdn; // 0x12 restart heading number on section boundary sal_uInt8 fSpareX; // 0x13 unused( should be 0) - sal_uInt8 rgchAnld[32]; // 0x14 characters displayed before/after autonumber + sal_uInt8 rgchAnld[32]; // 0x14 characters displayed before/after autonumber }; struct WW8_OLST -- cgit v1.2.3