filter/source/msfilter/svdfppt.cxx | 6 +++---
include/filter/msfilter/svdfppt.hxx | 12 +++++++-----
sd/qa/unit/data/ppt/pass/crash-1.ppt |binary
3 files changed, 10 insertions(+), 8 deletions(-)
New commits:
commit 9f856628835f818790d183d54ceaf8333aac71da
Author: Caolán McNamara <caol...@redhat.com>
Date: Wed Aug 26 11:25:03 2015 +0100
fix crash on loading certain ppts
Change-Id: I544a67e3706c7d12414cc075118ef2f0f5ddd0f6
(cherry picked from commit 334dba623dfb0c4fb2b5292c2d03741b7b33aef1)
Reviewed-on: https://gerrit.libreoffice.org/18015
Reviewed-by: David Tardon <dtar...@redhat.com>
Tested-by: David Tardon <dtar...@redhat.com>
diff --git a/filter/source/msfilter/svdfppt.cxx
b/filter/source/msfilter/svdfppt.cxx
index 4536cda..2d77718 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -4029,13 +4029,13 @@ PPTStyleSheet::PPTStyleSheet( const DffRecordHeader&
rSlideHd, SvStream& rIn, Sd
ReadDffRecordHeader( rIn, aTxMasterStyleHd );
if ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom )
{
- sal_uInt16 nLevelAnz;
- rIn.ReadUInt16( nLevelAnz );
+ sal_uInt16 nLevelAnz(0);
+ rIn.ReadUInt16(nLevelAnz);
sal_uInt16 nLev = 0;
bool bFirst = true;
bFoundTxMasterStyleAtom04 = true;
- while ( rIn.GetError() == 0 && rIn.Tell() <
aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
+ while (rIn.GetError() == 0 && rIn.Tell() <
aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)
{
if ( nLev )
{
diff --git a/include/filter/msfilter/svdfppt.hxx
b/include/filter/msfilter/svdfppt.hxx
index 82f3a0a..2292064 100644
--- a/include/filter/msfilter/svdfppt.hxx
+++ b/include/filter/msfilter/svdfppt.hxx
@@ -168,6 +168,8 @@ const sal_uInt32 PPTInventor = sal_uInt32('P') * 0x00000001
+ sal_uInt32('T') * 0x00010000
+ sal_uInt32('0') * 0x01000000;
+const int nMaxPPTLevels = 5;
+
// Object IDs for StarDraw UserData
#define PPT_OBJECTINFO_ID (1)
@@ -712,7 +714,7 @@ struct PPTExtParaLevel
struct PPTExtParaSheet
{
- PPTExtParaLevel aExtParaLevel[ 5 ];
+ PPTExtParaLevel aExtParaLevel[nMaxPPTLevels];
};
struct PPTBuGraEntry
@@ -759,7 +761,7 @@ struct PPTCharLevel
struct PPTCharSheet
{
- PPTCharLevel maCharLevel[ 5 ];
+ PPTCharLevel maCharLevel[nMaxPPTLevels];
explicit PPTCharSheet( sal_uInt32 nInstance );
PPTCharSheet( const PPTCharSheet& rCharSheet );
@@ -792,7 +794,7 @@ struct PPTParaSheet
{
public:
- PPTParaLevel maParaLevel[ 5 ];
+ PPTParaLevel maParaLevel[nMaxPPTLevels];
explicit PPTParaSheet( sal_uInt32 nInstance );
PPTParaSheet( const PPTParaSheet& rParaSheet );
@@ -997,8 +999,8 @@ struct PPTRuler
sal_Int32 nFlags;
sal_uInt16 nDefaultTab;
- sal_uInt16 nTextOfs[ 5 ];
- sal_uInt16 nBulletOfs[ 5 ];
+ sal_uInt16 nTextOfs[nMaxPPTLevels];
+ sal_uInt16 nBulletOfs[nMaxPPTLevels];
PPTTabEntry* pTab;
sal_uInt16 nTabCount;
diff --git a/sd/qa/unit/data/ppt/pass/crash-1.ppt
b/sd/qa/unit/data/ppt/pass/crash-1.ppt
new file mode 100644
index 0000000..5d1a04b
Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/crash-1.ppt differ
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
