From a39ff2fb213c6428ba5e11a9c55f353cdbdda70b Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 11 Sep 2013 09:32:11 +0100
Subject: CID#736212 clip word 2 pap bounds

and add a unit test for the word 2..5 formats

Change-Id: I6c7c26be6092acbb81282080de6c393d92ad5dd4
(cherry picked from commit 5d8a9d56de7c1217cfdbe2288c1a3a9128c3dbb5)
Reviewed-on: https://gerrit.libreoffice.org/5908
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Michael Stahl <mstahl@redhat.com>
---
 sw/source/filter/ww8/ww8scan.cxx | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'sw/source/filter')

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 2c150cf7fd6d..36f7ceb0c415 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -2496,7 +2496,15 @@ WW8PLCFx_Fc_FKP::WW8Fkp::WW8Fkp(ww::WordVersion eVersion, SvStream* pSt,
                                 {
                                     aEntry.mnLen-=6; //PHE
                                     //skipi stc, len byte + 6 byte PHE
-                                    aEntry.mpData = maRawData + nOfs + 8;
+                                    unsigned int nOffset = nOfs + 8;
+                                    if (nOffset >= 511) //Bad offset
+                                        aEntry.mnLen=0;
+                                    if (aEntry.mnLen)   //start is ok
+                                    {
+                                        if (nOffset + aEntry.mnLen > 512)   //Bad end, clip
+                                            aEntry.mnLen = 512 - nOffset;
+                                        aEntry.mpData = maRawData + nOffset;
+                                    }
                                 }
                                 else
                                     aEntry.mnLen=0; //Too short
-- 
cgit v1.2.3