From 4c57026b92a862bfae3cb7d6c35889d2844fd5cd Mon Sep 17 00:00:00 2001
From: Radek Doulik <rodo@novell.com>
Date: Fri, 29 Apr 2011 16:51:52 +0200
Subject: sd-ppt-fix-document-summary-reading.diff: crasher fix (bnc#546758)

fix problem in ppt reading causing crash or memory saturation
---
 sd/source/filter/ppt/propread.cxx | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index e9d0fbf85..726b75615 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -504,7 +504,9 @@ void Section::Read( SvStorageStream *pStrm )
 
                     case VT_LPWSTR :
                         *pStrm >> nTemp;
-                        nPropSize += ( nTemp << 1 ) + 4;
+                        // looks like these are aligned to 4 bytes
+                        sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4;
+                        nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4);
                     break;
 
                     case VT_BLOB_OBJECT :
@@ -540,6 +542,9 @@ void Section::Read( SvStorageStream *pStrm )
                     break;
                 }
                 pStrm->Seek( nPropOfs + nSecOfs );
+                // make sure we don't overflow the section size
+                if( nPropSize > nSecSize - nSecOfs )
+                    nPropSize = nSecSize - nSecOfs;
                 sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
                 pStrm->Read( pBuf, nPropSize );
                 AddProperty( nPropId, pBuf, nPropSize );
-- 
cgit v1.2.3