writerfilter/source/rtftok/rtfdocumentimpl.cxx | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
New commits:
commit cc79b16a75efcb62cd2fe2f1ee26f6650ab082ee
Author: Caolán McNamara <caol...@redhat.com>
Date: Thu Nov 7 08:48:22 2013 +0000
ensure string accesses are in bounds
as demonstrated by ooo39541-3.rtf
Change-Id: I995f0250e98a68b1b56da877314c9fd24cf46221
diff --git a/writerfilter/source/rtftok/rtfdocumentimpl.cxx
b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
index f6f3b36b..f00ee13 100644
--- a/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+++ b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
@@ -4041,16 +4041,20 @@ int RTFDocumentImpl::popState()
}
}
aStr = aBuf.makeStringAndClear();
+
// ignore the first bytes
if (aStr.getLength() > 8)
aStr = aStr.copy(8);
// extract name
- int nLength = aStr.toChar();
+ sal_Int32 nLength = aStr.toChar();
if (!aStr.isEmpty())
aStr = aStr.copy(1);
+ nLength = std::min(nLength, aStr.getLength());
OString aName = aStr.copy(0, nLength);
- if (!aStr.isEmpty())
+ if (aStr.getLength() > nLength)
aStr = aStr.copy(nLength+1); // zero-terminated string
+ else
+ aStr = OString();
// extract default text
nLength = aStr.toChar();
if (!aStr.isEmpty())
@@ -4059,7 +4063,7 @@ int RTFDocumentImpl::popState()
m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFData_name, pNValue);
if (nLength > 0)
{
- OString aDefaultText = aStr.copy(0, nLength);
+ OString aDefaultText = aStr.copy(0, std::min(nLength,
aStr.getLength()));
RTFValue::Pointer_t pDValue(new
RTFValue(OStringToOUString(aDefaultText, aState.nCurrentEncoding)));
m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFTextInput_default,
pDValue);
}
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
