sd/qa/unit/data/ppt/pass/hang-18.ppt |binary sd/source/filter/ppt/propread.cxx | 27 ++++++++++++++++++++------- 2 files changed, 20 insertions(+), 7 deletions(-)
New commits: commit 0591e1bae3963277240848851158bf82d3be3911 Author: Caolán McNamara <[email protected]> Date: Fri Aug 28 09:15:04 2015 +0100 clip strings to max available size (cherry picked from commit 580d3837b26f09ed02fe3583de40fa045a3fde0f) Change-Id: Icc1378c9c27b9b6d229bcffc6a63017f82be70d4 Reviewed-on: https://gerrit.libreoffice.org/18101 Reviewed-by: Michael Meeks <[email protected]> Tested-by: Michael Meeks <[email protected]> diff --git a/sd/qa/unit/data/ppt/pass/hang-18.ppt b/sd/qa/unit/data/ppt/pass/hang-18.ppt new file mode 100644 index 0000000..3b3e9f7 Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/hang-18.ppt differ diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx index 20e59df..1e71044 100644 --- a/sd/source/filter/ppt/propread.cxx +++ b/sd/source/filter/ppt/propread.cxx @@ -73,7 +73,7 @@ static sal_Int32 lcl_getMaxSafeStrLen(sal_uInt32 nSize) bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) { - sal_uInt32 i, nItemSize, nType, nItemPos; + sal_uInt32 nType, nItemPos; bool bRetValue = false; nItemPos = Tell(); @@ -86,8 +86,8 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) else nType = nStringType & VT_TYPEMASK; - nItemSize = 0; // Initialize in case stream fails. - ReadUInt32( nItemSize ); + sal_uInt32 nItemSize(0); // Initialize in case stream fails. + ReadUInt32(nItemSize); switch( nType ) { @@ -95,6 +95,12 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) { if ( nItemSize ) { + auto nMaxSizePossible = remainingSize(); + if (nItemSize > nMaxSizePossible) + { + SAL_WARN("sd.filter", "String of Len " << nItemSize << " claimed, only " << nMaxSizePossible << " possible"); + nItemSize = nMaxSizePossible; + } try { sal_Char* pString = new sal_Char[ nItemSize ]; @@ -103,8 +109,8 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) nItemSize >>= 1; if ( nItemSize > 1 ) { - sal_Unicode* pWString = (sal_Unicode*)pString; - for ( i = 0; i < nItemSize; i++ ) + sal_Unicode* pWString = reinterpret_cast<sal_Unicode*>(pString); + for (sal_uInt32 i = 0; i < nItemSize; ++i) ReadUInt16( pWString[ i ] ); rString = OUString(pWString, lcl_getMaxSafeStrLen(nItemSize)); } @@ -140,12 +146,19 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) { if ( nItemSize ) { + auto nMaxSizePossible = remainingSize() / sizeof(sal_Unicode); + if (nItemSize > nMaxSizePossible) + { + SAL_WARN("sd.filter", "String of Len " << nItemSize << " claimed, only " << nMaxSizePossible << " possible"); + nItemSize = nMaxSizePossible; + } + try { sal_Unicode* pString = new sal_Unicode[ nItemSize ]; - for ( i = 0; i < nItemSize; i++ ) + for (sal_uInt32 i = 0; i < nItemSize; ++i) ReadUInt16( pString[ i ] ); - if ( pString[ i - 1 ] == 0 ) + if ( pString[ nItemSize - 1 ] == 0 ) { if ( (sal_uInt16)nItemSize > 1 ) rString = OUString(pString, lcl_getMaxSafeStrLen(nItemSize));
_______________________________________________ Libreoffice-commits mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
