sd-ppt-fix-document-summary-reading.diff: crasher fix (bnc#546758)

fix problem in ppt reading causing crash or memory saturation
author: Radek Doulik <rodo@novell.com> 2011-04-29 16:51:52 +0200
committer: Petr Mladek <pmladek@suse.cz> 2011-04-29 16:51:52 +0200
commit: 4c57026b92a862bfae3cb7d6c35889d2844fd5cd (patch)
tree: 89317a0524e00a3fe2eea3770047dbcd0aa056b6
parent: 15a4865021a8826d846e31e73c44dd4e4f33776d (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index e9d0fbf85..726b75615 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -504,7 +504,9 @@ void Section::Read( SvStorageStream *pStrm )
 
                     case VT_LPWSTR :
                         *pStrm >> nTemp;
-                        nPropSize += ( nTemp << 1 ) + 4;
+                        // looks like these are aligned to 4 bytes
+                        sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4;
+                        nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4);
                     break;
 
                     case VT_BLOB_OBJECT :
@@ -540,6 +542,9 @@ void Section::Read( SvStorageStream *pStrm )
                     break;
                 }
                 pStrm->Seek( nPropOfs + nSecOfs );
+                // make sure we don't overflow the section size
+                if( nPropSize > nSecSize - nSecOfs )
+                    nPropSize = nSecSize - nSecOfs;
                 sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
                 pStrm->Read( pBuf, nPropSize );
                 AddProperty( nPropId, pBuf, nPropSize );
author	Radek Doulik <rodo@novell.com>	2011-04-29 16:51:52 +0200
committer	Petr Mladek <pmladek@suse.cz>	2011-04-29 16:51:52 +0200
commit	4c57026b92a862bfae3cb7d6c35889d2844fd5cd (patch)
tree	89317a0524e00a3fe2eea3770047dbcd0aa056b6
parent	15a4865021a8826d846e31e73c44dd4e4f33776d (diff)