sw/source/filter/ww8/ww8scan.cxx | 4 ++++
vcl/source/gdi/jobset.cxx | 29 +++++++++++++++++------------
2 files changed, 21 insertions(+), 12 deletions(-)
New commits:
commit d4f07cdd244a6aa69de1fde0df4163b27a65556c
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Jan 26 11:26:41 2015 +0000
coverity#1266485 Untrusted value as argument
Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
min legal size here is > 4
(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
Change-Id: I9f68d000b32623db4d949d13284043630f5689f4
(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
index ec1f44f..c67255e 100644
--- a/vcl/source/gdi/jobset.cxx
+++ b/vcl/source/gdi/jobset.cxx
@@ -218,19 +218,24 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup&
rJobSetup )
DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version
not set on rOStream" );
{
- sal_Size nFirstPos = rIStream.Tell();
-
sal_uInt16 nLen = 0;
rIStream.ReadUInt16( nLen );
- if ( !nLen )
+ if (nLen <= 4)
return rIStream;
sal_uInt16 nSystem = 0;
rIStream.ReadUInt16( nSystem );
-
- boost::scoped_array<char> pTempBuf(new char[nLen]);
- rIStream.Read( pTempBuf.get(), nLen - sizeof( nLen ) - sizeof(
nSystem ) );
- if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
+ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
+ if (nRead > rIStream.remainingSize())
+ {
+ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
+ " max possible entries, but " << nRead << " claimed,
truncating");
+ return rIStream;
+ }
+ sal_Size nFirstPos = rIStream.Tell();
+ boost::scoped_array<char> pTempBuf(new char[nRead]);
+ rIStream.Read(pTempBuf.get(), nRead);
+ if (nRead >= sizeof(ImplOldJobSetupData))
{
ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
if ( rJobSetup.mpData )
@@ -255,7 +260,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup&
rJobSetup )
nSystem == JOBSET_FILE605_SYSTEM )
{
Impl364JobSetupData* pOldJobData =
(Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
- sal_uInt16 nOldJobDataSize = SVBT16ToShort(
pOldJobData->nSize );
+ sal_uInt16 nOldJobDataSize = SVBT16ToShort(
pOldJobData->nSize );
pJobData->mnSystem = SVBT16ToShort(
pOldJobData->nSystem );
pJobData->mnDriverDataLen = SVBT32ToUInt32(
pOldJobData->nDriverDataLen );
pJobData->meOrientation =
(Orientation)SVBT16ToShort( pOldJobData->nOrientation );
@@ -272,8 +277,8 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup&
rJobSetup )
}
if( nSystem == JOBSET_FILE605_SYSTEM )
{
- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) +
4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
- while( rIStream.Tell() < nFirstPos + nLen )
+ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) +
sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
+ while( rIStream.Tell() < nFirstPos + nRead )
{
OUString aKey =
read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
OUString aValue =
read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
@@ -291,9 +296,9 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup&
rJobSetup )
else
pJobData->maValueMap[ aKey ] = aValue;
}
- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted
job setup" );
+ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted
job setup" );
// ensure correct stream position
- rIStream.Seek( nFirstPos + nLen );
+ rIStream.Seek(nFirstPos + nRead);
}
}
}
commit 1877e2a1d0092fea5cc0ea4676f6eca578521911
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Jul 13 10:31:30 2015 +0100
ww8: make sure we don't wrap around
Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2
(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39)
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 3491b5d..4562ffc 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1540,7 +1540,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream*
pStr, const WW8Fib* pWwF )
if( 2 == clxt ) // PLCFfpcd ?
break; // PLCFfpcd gefunden
if( 1 == clxt ) // clxtGrpprl ?
+ {
+ if (nGrpprl == SHRT_MAX)
+ return NULL;
nGrpprl++;
+ }
sal_uInt16 nLen(0);
pStr->ReadUInt16( nLen );
nLeft -= 2 + nLen;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
