On 2012-08-24 14:49, Lisandro Damián Nicanor Pérez Meyer wrote:
> +--- a/filters/words/msword-odf/wv2/src/styles.cpp
> ++++ b/filters/words/msword-odf/wv2/src/styles.cpp
> +@@ -248,6 +248,11 @@ throw(InvalidFormatException)
> + #ifdef WV2_DEBUG_STYLESHEET
> + wvlog << "cbUPX: " << cbUPX << endl;
> + #endif
> ++ // do not overflow the allocated buffer grupx
> ++ if (offset + cbUPX > grupxLen) {
^^^^^^^^^^^^^^^^^^^^^^^^^
In my experience it is either
if (offset + i < limit) { /* safe */ }
or
if (offset + i >= limit) { /* abort */ }
Is "offset + cbUPX == grupxLen" really a "safe" index?
> ++ wvlog << "====> Error: grupx would overflow!" << endl;
> ++ return false;
> ++ }
> + for ( U16 j = 0; j < cbUPX; ++j ) {
^^^^^^^^^
This suggests it might not be...
> + grupx[ offset + j ] = stream->readU8(); // read the whole UPX
> + #ifdef WV2_DEBUG_STYLESHEET
> +--
> +1.7.10.4
> +
~Niels
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
