sw/source/filter/ww8/ww8par2.cxx | 6 ++++-- sw/source/filter/ww8/ww8par5.cxx | 4 ++-- sw/source/filter/ww8/ww8scan.cxx | 27 +++++++++++++++++++++------ 3 files changed, 27 insertions(+), 10 deletions(-)
New commits: commit 2e36b1e03bee33ceded5e80d045efba5cd1c5063 Author: Caolán McNamara <[email protected]> Date: Tue Sep 26 12:40:27 2017 +0100 ofz various timeouts in ww8fuzzer Change-Id: Id633b031d2856dab49bbedc6faf45670a3762c51 Reviewed-on: https://gerrit.libreoffice.org/42801 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx index f9891290d0aa..bad09a202b80 100644 --- a/sw/source/filter/ww8/ww8par2.cxx +++ b/sw/source/filter/ww8/ww8par2.cxx @@ -4005,7 +4005,8 @@ void WW8RStyle::Import1Style( sal_uInt16 nNr ) if ( !xStd || sName.isEmpty() || ((1 != xStd->sgc) && (2 != xStd->sgc)) ) { - pStStrm->SeekRel( nSkip ); + nSkip = std::min<sal_uInt64>(nSkip, pStStrm->remainingSize()); + pStStrm->Seek(pStStrm->Tell() + nSkip); return; } @@ -4100,7 +4101,8 @@ void WW8RStyle::ScanStyles() // investigate style dependencies rSI = SwWW8StyInf(); xStd.reset(); - pStStrm->SeekRel( nSkip ); // skip Names and Sprms + nSkip = std::min<sal_uInt64>(nSkip, pStStrm->remainingSize()); + pStStrm->Seek(pStStrm->Tell() + nSkip); // skip Names and Sprms } } diff --git a/sw/source/filter/ww8/ww8par5.cxx b/sw/source/filter/ww8/ww8par5.cxx index 0acc43804034..14ea2963bab9 100644 --- a/sw/source/filter/ww8/ww8par5.cxx +++ b/sw/source/filter/ww8/ww8par5.cxx @@ -961,7 +961,7 @@ long SwWW8ImplReader::Read_Field(WW8PLCFManResult* pRes) } else { // read field - long nOldPos = m_pStrm->Tell(); + auto nOldPos = m_pStrm->Tell(); OUString aStr; if ( aF.nId == 6 && aF.bCodeNest ) { @@ -983,7 +983,7 @@ long SwWW8ImplReader::Read_Field(WW8PLCFManResult* pRes) } eF_ResT eRes = (this->*aWW8FieldTab[aF.nId])( &aF, aStr ); - m_pStrm->Seek( nOldPos ); + m_pStrm->Seek(nOldPos); switch ( eRes ) { diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index a9825a5c3fe2..e45e1bdffa6a 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -1541,7 +1541,10 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF ) m_aPieceGrpprls.push_back(p); // add to array } else - pStr->SeekRel( nLen ); // non-Grpprl left + { + nLen = std::min<sal_uInt64>(nLen, pStr->remainingSize()); + pStr->Seek(pStr->Tell() + nLen); // non-Grpprl left + } } // read Piece Table PLCF @@ -1845,6 +1848,12 @@ static bool WW8GetFieldPara(WW8PLCFspecial& rPLCF, WW8FieldDesc& rF) rF.nLen = rF.nSRes - rF.nSCode + 2; // total length } + if (rF.nLen < 0) + { + rF.nLen = 0; + goto Err; + } + rPLCF.advance(); if((static_cast<sal_uInt8*>(pData)[0] & 0x1f ) == 0x15 ) { @@ -6583,7 +6592,7 @@ WW8_STD* WW8Style::Read1STDFixed(sal_uInt16& rSkip) WW8_STD* pStd = nullptr; sal_uInt16 cbStd(0); - rSt.ReadUInt16( cbStd ); // read length + rSt.ReadUInt16(cbStd); // read length const sal_uInt16 nRead = cbSTDBaseInFile; if( cbStd >= cbSTDBaseInFile ) @@ -6628,14 +6637,20 @@ WW8_STD* WW8Style::Read1STDFixed(sal_uInt16& rSkip) pStd->fAutoRedef = a16Bit & 0x0001 ; pStd->fHidden = ( a16Bit & 0x0002 ) >> 1; // You never know: cautionary skipped - if( 10 < nRead ) - rSt.SeekRel( nRead-10 ); + if (nRead > 10) + { + auto nSkip = std::min<sal_uInt64>(nRead - 10, rSt.remainingSize()); + rSt.Seek(rSt.Tell() + nSkip); + } } while( false ); // trick: the block above will passed through exactly one time // and can be left early with a "break" - if( (ERRCODE_NONE != rSt.GetError()) || !nRead ) - DELETEZ( pStd ); // report error with NULL + if (!rSt.good() || !nRead) + { + delete pStd; + pStd = nullptr; // report error with NULL + } rSkip = cbStd - cbSTDBaseInFile; }
_______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
