Skip to content

C
core
Kaydet (Commit) 889c72a7 authored tarafından Eike Rathke's avatar Eike Rathke
Dosyalara gözat
Seçenekler

ofz: guard against binary crap argument counts and ID/OpCode generation 

Change-Id: I60e181729713f3b202e880707a79e9da80d9d85d
üst 09d96767
Show whitespace changes
Inline Side-by-side
Showing with 57 additions and 28 deletions
sc/source/filter/excel/tokstack.cxx
Dosyayı görüntüle @ 889c72a7
......@@ -108,6 +108,21 @@ bool TokenPool::GrowId()
return true;
}
bool TokenPool::CheckElementOrGrow()
{
// Last possible ID to be assigned somewhere is nElementAkt+1
if (nElementAkt + 1 == nScTokenOff - 1)
{
SAL_WARN("sc.filter","TokenPool::CheckElementOrGrow - last possible ID " << nElementAkt+1);
return false;
}
if (nElementAkt >= nElement)
return GrowElement();
return true;
}
bool TokenPool::GrowElement()
{
sal_uInt16 nElementNew = lcl_canGrow( nElement);
......@@ -161,9 +176,11 @@ bool TokenPool::GrowMatrix()
bool TokenPool::GetElement( const sal_uInt16 nId )
{
OSL_ENSURE( nId < nElementAkt, "*TokenPool::GetElement(): Id too large!?" );
if (nId >= nElementAkt)
{
SAL_WARN("sc.filter","TokenPool::GetElement - Id too large, " << nId << " >= " << nElementAkt);
return false;
}
bool bRet = true;
if( pType[ nId ] == T_Id )
......@@ -394,8 +411,7 @@ void TokenPool::operator >>( TokenId& rId )
{
rId = static_cast<TokenId>( nElementAkt + 1 );
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return;
pElement[ nElementAkt ] = nP_IdLast; // Start of Token-sequence
......@@ -409,8 +425,7 @@ void TokenPool::operator >>( TokenId& rId )
const TokenId TokenPool::Store( const double& rDouble )
{
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( pP_Dbl.m_writemark >= pP_Dbl.m_capacity )
......@@ -438,8 +453,7 @@ const TokenId TokenPool::Store( const sal_uInt16 nIndex )
const TokenId TokenPool::Store( const OUString& rString )
{
// mostly copied to Store( const sal_Char* ), to avoid a temporary string
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( ppP_Str.m_writemark >= ppP_Str.m_capacity )
......@@ -468,8 +482,7 @@ const TokenId TokenPool::Store( const OUString& rString )
const TokenId TokenPool::Store( const ScSingleRefData& rTr )
{
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( ppP_RefTr.m_writemark >= ppP_RefTr.m_capacity )
......@@ -492,8 +505,7 @@ const TokenId TokenPool::Store( const ScSingleRefData& rTr )
const TokenId TokenPool::Store( const ScComplexRefData& rTr )
{
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( ppP_RefTr.m_writemark + 1 >= ppP_RefTr.m_capacity )
......@@ -522,8 +534,7 @@ const TokenId TokenPool::Store( const ScComplexRefData& rTr )
const TokenId TokenPool::Store( const DefTokenId e, const OUString& r )
{
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( ppP_Ext.m_writemark >= ppP_Ext.m_capacity )
......@@ -549,8 +560,7 @@ const TokenId TokenPool::Store( const DefTokenId e, const OUString& r )
const TokenId TokenPool::StoreNlf( const ScSingleRefData& rTr )
{
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( ppP_Nlf.m_writemark >= ppP_Nlf.m_capacity )
......@@ -575,8 +585,7 @@ const TokenId TokenPool::StoreNlf( const ScSingleRefData& rTr )
const TokenId TokenPool::StoreMatrix()
{
if( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
if( nP_MatrixAkt >= nP_Matrix )
......@@ -598,8 +607,7 @@ const TokenId TokenPool::StoreMatrix()
const TokenId TokenPool::StoreName( sal_uInt16 nIndex, sal_Int16 nSheet )
{
if ( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
pElement[nElementAkt] = static_cast<sal_uInt16>(maRangeNames.size());
......@@ -617,8 +625,7 @@ const TokenId TokenPool::StoreName( sal_uInt16 nIndex, sal_Int16 nSheet )
const TokenId TokenPool::StoreExtName( sal_uInt16 nFileId, const OUString& rName )
{
if ( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
pElement[nElementAkt] = static_cast<sal_uInt16>(maExtNames.size());
......@@ -636,8 +643,7 @@ const TokenId TokenPool::StoreExtName( sal_uInt16 nFileId, const OUString& rName
const TokenId TokenPool::StoreExtRef( sal_uInt16 nFileId, const OUString& rTabName, const ScSingleRefData& rRef )
{
if ( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
pElement[nElementAkt] = static_cast<sal_uInt16>(maExtCellRefs.size());
......@@ -656,8 +662,7 @@ const TokenId TokenPool::StoreExtRef( sal_uInt16 nFileId, const OUString& rTabNa
const TokenId TokenPool::StoreExtRef( sal_uInt16 nFileId, const OUString& rTabName, const ScComplexRefData& rRef )
{
if ( nElementAkt >= nElement )
if (!GrowElement())
if (!CheckElementOrGrow())
return static_cast<const TokenId>(nElementAkt+1);
pElement[nElementAkt] = static_cast<sal_uInt16>(maExtAreaRefs.size());
......
sc/source/filter/inc/tokstack.hxx
Dosyayı görüntüle @ 889c72a7
......@@ -217,6 +217,13 @@ private:
bool GrowId();
bool GrowElement();
bool GrowMatrix();
/** @return false means nElementAkt range
below nScTokenOff would overflow or
further allocation is not possible, no
new ID available other than
nElementAkt+1.
*/
bool CheckElementOrGrow();
bool GetElement( const sal_uInt16 nId );
bool GetElementRek( const sal_uInt16 nId );
void ClearMatrix();
......@@ -317,6 +324,7 @@ inline void TokenStack::operator >>( TokenId& rId )
else
{
SAL_WARN("sc.filter", "*TokenStack::>>(): is empty, is empty, ...");
rId = 0;
}
}
......@@ -331,7 +339,13 @@ inline TokenPool& TokenPool::operator <<( const TokenId& rId )
// finalize with >> or Store()
// rId -> ( sal_uInt16 ) rId - 1;
sal_uInt16 nId = static_cast<sal_uInt16>(rId);
if (nId >= nScTokenOff)
if (nId == 0)
{
// This would result in nId-1==0xffff, create error.
SAL_WARN("sc.filter", "-TokenPool::operator <<: TokenId 0");
nId = static_cast<sal_uInt16>(ocErrNull) + nScTokenOff + 1;
}
else if (nId >= nScTokenOff)
{
SAL_WARN("sc.filter", "-TokenPool::operator <<: TokenId in DefToken-Range! " << static_cast<sal_uInt16>(rId));
......@@ -374,7 +388,13 @@ inline TokenPool& TokenPool::operator <<( TokenStack& rStack )
if (!GrowId())
return *this;
pP_Id[ nP_IdAkt ] = ( ( sal_uInt16 ) rStack.Get() ) - 1;
sal_uInt16 nId = static_cast<sal_uInt16>(rStack.Get());
if (nId == 0)
{
// Indicates error, so generate one. Empty stack, overflow, ...
nId = static_cast<sal_uInt16>(ocErrNull) + nScTokenOff + 1;
}
pP_Id[ nP_IdAkt ] = nId - 1;
nP_IdAkt++;
return *this;
......
sc/source/filter/lotus/lotform.cxx
Dosyayı görüntüle @ 889c72a7
......@@ -77,9 +77,13 @@ void LotusToSc::DoFunc( DefTokenId eOc, sal_uInt8 nCnt, const sal_Char* pExtStri
}
}
for( nLauf = 0 ; nLauf < nCnt ; nLauf++ )
for( nLauf = 0 ; nLauf < nCnt && aStack.HasMoreTokens() ; nLauf++ )
aStack >> eParam[ nLauf ];
if (nLauf < nCnt)
// Adapt count to reality. All sort of binary crap is possible.
nCnt = static_cast<sal_uInt8>(nLauf);
// special cases...
switch( eOc )
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment