From e72f3ce68e18ac604469ce5e856341a469af27ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Thu, 13 Apr 2017 13:01:35 +0100
Subject: ofz: header has to be at least 1 pair long

Change-Id: I5725048519a2b68265e90d12b1e4bcb506c56fc2
---
 sw/source/filter/ww8/ww8graf.cxx | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx
index 7d843a225a0a..e3fbbaf62732 100644
--- a/sw/source/filter/ww8/ww8graf.cxx
+++ b/sw/source/filter/ww8/ww8graf.cxx
@@ -1248,12 +1248,20 @@ SdrObject* SwWW8ImplReader::ReadCaptionBox(WW8_DPHEAD* pHd, SfxAllItemSet &rSet)
         return nullptr;
 
     sal_uInt16 nCount = SVBT16ToShort( aCallB.dpPolyLine.aBits1 ) >> 1 & 0x7fff;
+    if (nCount < 1)
+    {
+        SAL_WARN("sw.ww8", "Short CaptionBox header");
+        return nullptr;
+    }
+
     std::unique_ptr<SVBT16[]> xP(new SVBT16[nCount * 2]);
 
     bool bCouldRead = checkRead(*m_pStrm, xP.get(), nCount * 4);      // Punkte einlesen
-    OSL_ENSURE(bCouldRead, "Short CaptionBox header");
     if (!bCouldRead)
+    {
+        SAL_WARN("sw.ww8", "Short CaptionBox header");
         return nullptr;
+    }
 
     sal_uInt8 nTyp = (sal_uInt8)nCount - 1;
     if( nTyp == 1 && SVBT16ToShort( xP[0] ) == SVBT16ToShort( xP[2] ) )
-- 
cgit v1.2.1