You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@openoffice.apache.org by ji...@apache.org on 2017/08/03 02:24:09 UTC

svn commit: r1803942 - /openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx

Author: jim
Date: Thu Aug  3 02:24:09 2017
New Revision: 1803942

URL: http://svn.apache.org/viewvc?rev=1803942&view=rev
Log:
buffer checks

Modified:
    openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx

Modified: openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx
URL: http://svn.apache.org/viewvc/openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx?rev=1803942&r1=1803941&r2=1803942&view=diff
==============================================================================
--- openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx (original)
+++ openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx Thu Aug  3 02:24:09 2017
@@ -6495,6 +6495,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
 
                 p->sFontname = String ( (((const sal_Char*)pVer2) + 1 + 2), eEnc);
                 pVer2 = (WW8_FFN_BASE*)( ((sal_uInt8*)pVer2) + pVer2->cbFfnM1 + 1 );
+
+				// Check that there is room for at least one more WW8_FFN_BASE before
+				// the end of the buffer.
+				if ((sal_uInt8*)pVer2 > pA + nFFn - sizeof(WW8_FFN_BASE)) {
+					throw std::out_of_range("WW8 beyond end of buffer");
+				}
             }
 	}
         else if( eVersion < ww::eWW8 )
@@ -6540,6 +6546,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
                     }
                 }
                 pVer6 = (WW8_FFN_Ver6*)( ((sal_uInt8*)pVer6) + pVer6->cbFfnM1 + 1 );
+
+				// Check that there is room for at least one more WW8_FFN_Ver6 before
+				// the end of the buffer.
+				if ((sal_uInt8*)pVer6 > pA + nFFn - sizeof(WW8_FFN_Ver6)) {
+					throw std::out_of_range("WW8 beyond end of buffer");
+				}
             }
         }
         else
@@ -6585,6 +6597,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
 
                 // Zeiger auf Ursprungsarray einen Font nach hinten setzen
                 pVer8 = (WW8_FFN_Ver8*)( ((sal_uInt8*)pVer8) + pVer8->cbFfnM1 + 1 );
+
+				// Check that there is room for at least one more WW8_FFN_Ver8 before
+				// the end of the buffer.
+				if ((sal_uInt8*)pVer8 > pA + nFFn - sizeof(WW8_FFN_Ver8)) {
+					throw std::out_of_range("WW8 beyond end of buffer");
+				}
             }
         }
     }