check for ridiculous lengths and check stream status

Change-Id: Iefe943794e005f03b2a6ea5fc642b8c3d21b3334 (cherry picked from commit 858257d4) Reviewed-on: https://gerrit.libreoffice.org/18173Reviewed-by: Jan Holesovsky <kendy@collabora.com> Tested-by: Jan Holesovsky <kendy@collabora.com>

check for ridiculous lengths and check stream status
Change-Id: Iefe943794e005f03b2a6ea5fc642b8c3d21b3334 (cherry picked from commit 858257d4) Reviewed-on: https://gerrit.libreoffice.org/18173Reviewed-by: Jan Holesovsky <kendy@collabora.com> Tested-by: Jan Holesovsky <kendy@collabora.com>
315cd789 · Caolán McNamara · Jan Holesovsky · 03d15f27 · 315cd789 · 315cd789
Kaydet (Commit) 315cd789 authored Agu 31, 2015 tarafından Caolán McNamara Kaydeden (comit) Jan Holesovsky Eyl 01, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 9 deletions

hang-6.doc sw/qa/core/data/ww8/pass/hang-6.doc +0 -0

ww8par.cxx sw/source/filter/ww8/ww8par.cxx +13 -9

No files found.
--- a/sw/qa/core/data/ww8/pass/hang-6.doc
+++ b/sw/qa/core/data/ww8/pass/hang-6.doc
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -678,16 +678,22 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                                             SEEK_FROM_CURRENT_AND_RESTART )
            && maShapeRecords.Current()->nRecLen )
        {
-            sal_uInt32  nBytesLeft = maShapeRecords.Current()->nRecLen;
-            sal_uInt32  nUDData;
-            sal_uInt16  nPID;
+            sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen;
+            auto nAvailableBytes = rSt.remainingSize();
+            if (nBytesLeft > nAvailableBytes)
+            {
+                SAL_WARN("sw.ww8", "Document claimed to have shape record of " << nBytesLeft << " bytes, but only " << nAvailableBytes << " available");
+                nBytesLeft = nAvailableBytes;
+            }
            while( 5 < nBytesLeft )
            {
-                rSt.ReadUInt16( nPID );
-                if ( rSt.GetError() != 0 )
+                sal_uInt16 nPID(0);
+                rSt.ReadUInt16(nPID);
+                sal_uInt32 nUDData(0);
+                rSt.ReadUInt32(nUDData);
+                if (!rSt.good())
                    break;
-                rSt.ReadUInt32( nUDData );
-                switch( nPID )
+                switch (nPID)
                {
                    case 0x038F: pImpRec->nXAlign = nUDData; break;
                    case 0x0390:
@@ -715,8 +721,6 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt,
                        pImpRec->isHorizontalRule = true;
                        break;
                }
-                if ( rSt.GetError() != 0 )
-                    break;
                nBytesLeft  -= 6;
            }
        }