sw/source/filter/ww8/ww8scan.cxx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
New commits: commit 8db706e3239cda41f8a5e956a48eed47d6bd200e Author: Caolán McNamara <[email protected]> Date: Mon Aug 28 12:13:41 2017 +0100 ofz#3154 check bounds of special sprm Change-Id: I82566e2f2ad479c392f06ae7149e3781c0338e50 Reviewed-on: https://gerrit.libreoffice.org/41630 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 984d05ef990b..41d027e8f6e9 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -7961,8 +7961,17 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm, } break; case 0xD608: - nL = SVBT16ToShort( &pSprm[1 + mnDelta] ); + { + sal_uInt8 nIndex = 1 + mnDelta; + if (nIndex + 1 >= nRemLen) + { + SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong"); + nL = 0; + } + else + nL = SVBT16ToShort(&pSprm[nIndex]); break; + } default: switch (aSprm.nVari) {
_______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
