diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-11-05 14:20:03 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-11-05 20:00:51 +0100 |
| commit | 4fb14703e555b14507e4246e02859607f7aec07d (patch) | |
| tree | 230b630c77bf398bd675cbefe5aa291bfdc42e95 | |
| parent | b97d210bce5f05c23330b7a6fb0602f8f74da5a0 (diff) | |
ofz#4068 Integer-overflow
Change-Id: Id61f4f82b66e7efa4d3ef062d2756acddcee43b8
Reviewed-on: https://gerrit.libreoffice.org/44327
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 623100c4f61a..25e99ba55afd 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -1481,6 +1481,8 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode, else *pIsUnicode = m_pWw8Fib->m_fExtChar; + WW8_FC nRet; + if( m_pPieceIter ) { // Complex File @@ -1510,7 +1512,7 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode, if( pNextPieceCp ) *pNextPieceCp = nCpEnd; - WW8_FC nRet = SVBT32ToUInt32( static_cast<WW8_PCD*>(pData)->fc ); + nRet = SVBT32ToUInt32( static_cast<WW8_PCD*>(pData)->fc ); if (m_pWw8Fib->m_nVersion >= 8) nRet = WW8PLCFx_PCD::TransformPieceAddress( nRet, *pIsUnicode ); else @@ -1555,7 +1557,13 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode, } // No complex file - return m_pWw8Fib->m_fcMin + nCpPos; + const bool bFail = o3tl::checked_add(m_pWw8Fib->m_fcMin, nCpPos, nRet); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + return WW8_CP_MAX; + } + return nRet; } // class WW8ScannerBase |