sw/source/filter/ww8/ww8scan.cxx | 14 ++++++++++++++
1 file changed, 14 insertions(+)
New commits:
commit 981ffeb876e3b3d898b00054ed5072035cf27c1a
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Wed Jul 25 12:47:01 2018 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Wed Jul 25 14:56:48 2018 +0200
ofz#7886 reject bogus text offsets inside fib
Change-Id: I7e81d13c199301cc4a049081476feac6e1507bd0
Reviewed-on: https://gerrit.libreoffice.org/57972
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 97be35a40288..f2b1305be557 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1545,6 +1545,10 @@ WW8_CP WW8ScannerBase::WW8Fc2Cp( WW8_FC nFcPos ) const
return nFallBackCpEnd;
}
+// the fib of WinWord2 has a last entry of cpnBtePap of 2 byte sized type PN at
+// offset 324
+const int nSmallestPossibleFib = 326;
+
WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
WW8_CP* pNextPieceCp, bool* pTestFlag) const
{
@@ -1644,6 +1648,16 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool*
pIsUnicode,
SAL_WARN("sw.ww8", "broken offset, ignoring");
return WW8_CP_MAX;
}
+
+ // the text and the fib share the same stream, if the text is inside the
fib
+ // then its definitely a bad offset. The smallest FIB supported is that of
+ // WW2 which is 326 bytes in size
+ if (nRet < nSmallestPossibleFib)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ return WW8_CP_MAX;
+ }
+
return nRet;
}
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
