filter/inc/filter/msfilter/dffpropset.hxx | 1 + filter/source/msfilter/dffpropset.cxx | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-)
New commits: commit 59b105338323266f87e2bca4944ae59de00db0d3 Author: Don Lewis <[email protected]> AuthorDate: Fri Aug 17 22:24:27 2018 +0000 Commit: Don Lewis <[email protected]> CommitDate: Fri Aug 17 22:24:27 2018 +0000 When importing a Microsoft Office Drawing Binary File Format data stream, ignore properties with the bComplex flag set indicating they have data external to the property record if the indicated size of the data is larger than will fit in the containing property table record. DffPropSet::GetPropertyString() should return an empty string if the bComplex flag is not set since there is no data to return. Bail out of the loop that processes the array of properties early if we hit the end of the property table record. Limit the length of the property table record to the remaining size of the stream. diff --git a/filter/inc/filter/msfilter/dffpropset.hxx b/filter/inc/filter/msfilter/dffpropset.hxx index c1535a82da25..196946c4410a 100644 --- a/filter/inc/filter/msfilter/dffpropset.hxx +++ b/filter/inc/filter/msfilter/dffpropset.hxx @@ -61,6 +61,7 @@ class MSFILTER_DLLPUBLIC DffPropSet ~DffPropSet(); inline sal_Bool IsProperty( sal_uInt32 nRecType ) const { return ( mpPropSetEntries[ nRecType & 0x3ff ].aFlags.bSet ); }; + inline sal_Bool IsComplex( sal_uInt32 nRecType ) const { return ( mpPropSetEntries[ nRecType & 0x3ff ].aFlags.bComplex ); }; sal_Bool IsHardAttribute( sal_uInt32 nId ) const; sal_uInt32 GetPropertyValue( sal_uInt32 nId, sal_uInt32 nDefault = 0 ) const; /** Returns a boolean property by its real identifier. */ diff --git a/filter/source/msfilter/dffpropset.cxx b/filter/source/msfilter/dffpropset.cxx index e6b786dd093f..1b29f2b21e1c 100644 --- a/filter/source/msfilter/dffpropset.cxx +++ b/filter/source/msfilter/dffpropset.cxx @@ -1099,7 +1099,11 @@ DffPropSet::~DffPropSet() void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly ) { DffRecordHeader aHd; + sal_Size nEndOfStream, nEndOfRecord; rIn >> aHd; + nEndOfStream = rIn.Seek(STREAM_SEEK_TO_END); + aHd.SeekToContent( rIn ); + nEndOfRecord = Min(aHd.GetRecEndFilePos(), nEndOfStream); if ( !bSetUninitializedOnly ) { @@ -1116,6 +1120,8 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly ) { sal_uInt16 nTmp; sal_uInt32 nRecType, nContent; + if (nEndOfRecord - rIn.Tell() < 6) + break; rIn >> nTmp >> nContent; @@ -1157,7 +1163,7 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly ) aPropFlag.bBlip = sal_True; if ( nTmp & 0x8000 ) aPropFlag.bComplex = sal_True; - if ( aPropFlag.bComplex && nContent && ( nComplexDataFilePos < aHd.GetRecEndFilePos() ) ) + if ( aPropFlag.bComplex && nContent && ( nComplexDataFilePos < nEndOfRecord ) ) { // normally nContent is the complete size of the complex property, // but this is not always true for IMsoArrays ( what the hell is a IMsoArray ? ) @@ -1190,12 +1196,16 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly ) nContent += 6; // check if array fits into the PropertyContainer - if ( ( nComplexDataFilePos + nContent ) > aHd.GetRecEndFilePos() ) + if ( nContent > nEndOfRecord - nComplexDataFilePos) nContent = 0; } else nContent = 0; rIn.Seek( nOldPos ); + } else { + // check if complex property fits into the PropertyContainer + if ( nContent > nEndOfRecord - nComplexDataFilePos) + nContent = 0; } if ( nContent ) { @@ -1301,7 +1311,7 @@ bool DffPropSet::GetPropertyBool( sal_uInt32 nId, bool bDefault ) const sal_Size nOldPos = rStrm.Tell(); ::rtl::OUStringBuffer aBuffer; sal_uInt32 nBufferSize = GetPropertyValue( nId ); - if( (nBufferSize > 0) && SeekToContent( nId, rStrm ) ) + if( (nBufferSize > 0) && IsComplex( nId ) && SeekToContent( nId, rStrm ) ) { sal_Int32 nStrLen = static_cast< sal_Int32 >( nBufferSize / 2 ); aBuffer.ensureCapacity( nStrLen ); _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
