check for over long record len and check reads

Change-Id: Ib77ce1b95db2dc4396f4fd2fdcff4c0344b20c9e (cherry picked from commit 0c191e2b) Reviewed-on: https://gerrit.libreoffice.org/18179Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>

check for over long record len and check reads
Change-Id: Ib77ce1b95db2dc4396f4fd2fdcff4c0344b20c9e (cherry picked from commit 0c191e2b) Reviewed-on: https://gerrit.libreoffice.org/18179Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>
63c48b35 · Caolán McNamara · Andras Timar · 01471d54 · 63c48b35 · 63c48b35
Kaydet (Commit) 63c48b35 authored Agu 31, 2015 tarafından Caolán McNamara Kaydeden (comit) Andras Timar Eyl 18, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 18 deletions

hang-7.doc sw/qa/core/data/ww8/pass/hang-7.doc +0 -0

ww8toolbar.cxx sw/source/filter/ww8/ww8toolbar.cxx +26 -18

No files found.
--- a/sw/qa/core/data/ww8/pass/hang-7.doc
+++ b/sw/qa/core/data/ww8/pass/hang-7.doc
--- a/sw/source/filter/ww8/ww8toolbar.cxx
+++ b/sw/source/filter/ww8/ww8toolbar.cxx
@@ -166,7 +166,7 @@ bool SwCTBWrapper::Read( SvStream& rS )
    {
        rCustomizations[ *it ].bIsDroppedMenuTB = true;
    }
-    return true;
+    return rS.good();
 }
 SwTBC* SwCTBWrapper::GetTBCAtOffset( sal_uInt32 nStreamOffset )
@@ -284,7 +284,7 @@ bool Customization::Read( SvStream &rS)
        if ( !customizationDataCTB->Read( rS ) )
                return false;
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -454,7 +454,7 @@ bool TBDelta::Read(SvStream &rS)
    nOffSet = rS.Tell();
    rS.ReadUChar( doprfatendFlags ).ReadUChar( ibts ).ReadInt32( cidNext ).ReadInt32( cid ).ReadInt32( fc ) ;
    rS.ReadUInt16( CiTBDE ).ReadUInt16( cbTBC );
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -524,7 +524,7 @@ bool SwCTB::Read( SvStream &rS)
            rTBC.push_back( aTBC );
        }
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -637,7 +637,7 @@ bool SwTBC::Read( SvStream &rS )
        if ( !tbcd->Read( rS ) )
            return false;
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -777,7 +777,7 @@ Xst::Read( SvStream& rS )
    SAL_INFO("sw.ww8","Xst::Read() stream pos 0x" << std::hex << rS.Tell() );
    nOffSet = rS.Tell();
    sString = read_uInt16_PascalString(rS);
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -913,7 +913,7 @@ bool Tcg255::Read(SvStream &rS)
        nId = 0x40;
        rS.ReadUChar( nId );
    }
-    return true;
+    return rS.good();
    // Peek at
 }
@@ -945,7 +945,7 @@ bool Tcg255SubStruct::Read(SvStream &rS)
    nOffSet = rS.Tell();
    if ( mbReadId )
        rS.ReadUChar( ch );
-    return true;
+    return rS.good();
 }
 PlfMcd::PlfMcd(bool bReadId)
@@ -969,7 +969,7 @@ bool PlfMcd::Read(SvStream &rS)
                return false;
        }
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1004,7 +1004,15 @@ bool PlfAcd::Read( SvStream &rS)
    nOffSet = rS.Tell();
    Tcg255SubStruct::Read( rS );
    rS.ReadInt32( iMac );
-    if ( iMac )
+    if (iMac < 0)
+        return false;
+    auto nMaxPossibleRecords = rS.remainingSize() / (sizeof(sal_uInt16)*2);
+    if (static_cast<sal_uInt32>(iMac) > nMaxPossibleRecords)
+    {
+        SAL_WARN("sw.ww8", iMac << " records claimed, but max possible is " << nMaxPossibleRecords);
+        iMac = nMaxPossibleRecords;
+    }
+    if (iMac)
    {
        rgacd = new Acd[ iMac ];
        for ( sal_Int32 index = 0; index < iMac; ++index )
@@ -1013,7 +1021,7 @@ bool PlfAcd::Read( SvStream &rS)
                return false;
        }
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1057,7 +1065,7 @@ bool PlfKme::Read(SvStream &rS)
                return false;
        }
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1125,7 +1133,7 @@ bool TcgSttbfCore::Read( SvStream& rS )
            rS.ReadUInt16( dataItems[ index ].extraData );
        }
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1175,7 +1183,7 @@ bool MacroNames::Read( SvStream &rS)
                return false;
        }
    }
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1229,7 +1237,7 @@ Xstz::Read(SvStream &rS)
    rS.ReadUInt16( chTerm );
    if ( chTerm != 0 ) // should be an assert
        return false;
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1262,7 +1270,7 @@ Kme::Read(SvStream &rS)
    SAL_INFO("sw.ww8","Kme::Read() stream pos 0x" << std::hex << rS.Tell() );
    nOffSet = rS.Tell();
    rS.ReadInt16( reserved1 ).ReadInt16( reserved2 ).ReadUInt16( kcm1 ).ReadUInt16( kcm2 ).ReadUInt16( kt ).ReadUInt32( param );
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1290,7 +1298,7 @@ bool Acd::Read(SvStream &rS)
    SAL_INFO("sw.ww8","Acd::Read() stream pos 0x" << std::hex << rS.Tell() );
    nOffSet = rS.Tell();
    rS.ReadInt16( ibst ).ReadUInt16( fciBasedOnABC );
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1
@@ -1353,7 +1361,7 @@ bool MCD::Read(SvStream &rS)
    nOffSet = rS.Tell();
    rS.ReadSChar( reserved1 ).ReadUChar( reserved2 ).ReadUInt16( ibst ).ReadUInt16( ibstName ).ReadUInt16( reserved3 );
    rS.ReadUInt32( reserved4 ).ReadUInt32( reserved5 ).ReadUInt32( reserved6 ).ReadUInt32( reserved7 );
-    return true;
+    return rS.good();
 }
 #if OSL_DEBUG_LEVEL > 1