From 21dc07d365e85d64621468e79a29aa8a481c115a Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sat, 27 Oct 2018 19:45:34 +0100
Subject: ofz#11125 pass param len around

Change-Id: I4b382271df21c58de0e102af6e0b07a88a1d9610
Reviewed-on: https://gerrit.libreoffice.org/62448
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit 6253b1a29c8c1bcd7fd9efb07ca1a12fb0fc1746)
---
 sw/source/filter/ww8/ww8par.hxx  |  2 +-
 sw/source/filter/ww8/ww8par2.cxx | 47 +++++++++++++++++++++++++++++++---------
 2 files changed, 38 insertions(+), 11 deletions(-)

(limited to 'sw/source')

diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index c0a4b44c4c93..b2db0fe83b44 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1033,7 +1033,7 @@ struct WW8TabBandDesc
     static void setcelldefaults(WW8_TCell *pCells, short nCells);
     void ReadDef(bool bVer67, const sal_uInt8* pS, short nLen);
     void ProcessDirection(const sal_uInt8* pParams);
-    void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC);
+    void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC, sal_uInt16 nParamsLen);
     void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen);
     void ProcessSprmTDxaCol(const sal_uInt8* pParamsTDxaCol);
     void ProcessSprmTDelete(const sal_uInt8* pParamsTDelete);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 1ab43e948b90..2bb1a638bc2c 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1360,11 +1360,17 @@ void WW8TabBandDesc::ReadDef(bool bVer67, const sal_uInt8* pS, short nLen)
     }
 }
 
-void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC)
+void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC, sal_uInt16 nParamsLen)
 {
     if( !pParamsTSetBRC || !pTCs ) // set one or more cell border(s)
         return;
 
+    if (nParamsLen < 3)
+    {
+        SAL_WARN("sw.ww8", "table border property is too short");
+        return;
+    }
+
     sal_uInt8 nitcFirst= pParamsTSetBRC[0];// first col to be changed
     sal_uInt8 nitcLim  = pParamsTSetBRC[1];// (last col to be changed)+1
     sal_uInt8 nFlag    = *(pParamsTSetBRC+2);
@@ -1383,11 +1389,33 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
     WW8_TCell* pAktTC  = pTCs + nitcFirst;
     WW8_BRCVer9 brcVer9;
     if( nBrcVer == 6 )
+    {
+        if (nParamsLen < sizeof(WW8_BRCVer6) + 3)
+        {
+            SAL_WARN("sw.ww8", "table border property is too short");
+            return;
+        }
         brcVer9 = WW8_BRCVer9(WW8_BRC(*reinterpret_cast<WW8_BRCVer6 const *>(pParamsTSetBRC+3)));
+    }
     else if( nBrcVer == 8 )
+    {
+        static_assert(sizeof (WW8_BRC) == 4, "this has to match the msword size");
+        if (nParamsLen < sizeof(WW8_BRC) + 3)
+        {
+            SAL_WARN("sw.ww8", "table border property is too short");
+            return;
+        }
         brcVer9 = WW8_BRCVer9(*reinterpret_cast<WW8_BRC const *>(pParamsTSetBRC+3));
+    }
     else
+    {
+        if (nParamsLen < sizeof(WW8_BRCVer9) + 3)
+        {
+            SAL_WARN("sw.ww8", "table border property is too short");
+            return;
+        }
         brcVer9 = *reinterpret_cast<WW8_BRCVer9 const *>(pParamsTSetBRC+3);
+    }
 
     for( int i = nitcFirst; i < nitcLim; ++i, ++pAktTC )
     {
@@ -1400,7 +1428,6 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
         if( bChangeRight )
             pAktTC->rgbrc[ WW8_RIGHT ] = brcVer9;
     }
-
 }
 
 void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen)
@@ -1920,7 +1947,8 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
         sal_uInt16 nTableBordersLen = 0;
         const sal_uInt8* pTableBorders90 = nullptr;
         sal_uInt16 nTableBorders90Len = 0;
-        std::vector<const sal_uInt8*> aTSetBrcs, aTSetBrc90s;
+        // params, len
+        std::vector<std::pair<const sal_uInt8*, sal_uInt16>> aTSetBrcs, aTSetBrc90s;
         WW8_TablePos *pTabPos  = nullptr;
 
         // search end of a tab row
@@ -2023,10 +2051,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
                         }
                         break;
                     case sprmTSetBrc:
-                        aTSetBrcs.push_back(pParams); // process at end
+                        aTSetBrcs.emplace_back(pParams, nLen); // process at end
                         break;
                     case sprmTSetBrc90:
-                        aTSetBrc90s.push_back(pParams); // process at end
+                        aTSetBrc90s.emplace_back(pParams, nLen); // process at end
                         break;
                     case sprmTDxaCol:
                         pNewBand->ProcessSprmTDxaCol(pParams);
@@ -2074,11 +2102,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
             else if (pTableBorders)
                 pNewBand->ProcessSprmTTableBorders(bOldVer ? 6 : 8,
                     pTableBorders, nTableBordersLen);
-            std::vector<const sal_uInt8*>::const_iterator iter;
-            for (iter = aTSetBrcs.begin(); iter != aTSetBrcs.end(); ++iter)
-                pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, *iter);
-            for (iter = aTSetBrc90s.begin(); iter != aTSetBrc90s.end(); ++iter)
-                pNewBand->ProcessSprmTSetBRC(9, *iter);
+            for (const auto& a : aTSetBrcs)
+                pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, a.first, a.second);
+            for (const auto& a : aTSetBrc90s)
+                pNewBand->ProcessSprmTSetBRC(9, a.first, a.second);
         }
 
         if( nTabeDxaNew < SHRT_MAX )
-- 
cgit v1.2.3