diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2011-07-21 09:16:24 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2011-07-21 09:16:24 +0100 |
| commit | b77c9a6716a76fb0ccea9a389482ac9dfdf7dce4 (patch) | |
| tree | 0c60c4181af1c31fe6724a1d72ea7953b0672a2c | |
| parent | c943149136404beaddc6422752c66faa20dbd2c1 (diff) | |
check reads and seeks
| -rw-r--r-- | sw/source/filter/ww8/wrtww8.cxx | 11 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8graf.cxx | 66 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8par.cxx | 35 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8par2.cxx | 6 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8par6.cxx | 8 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 26 |
6 files changed, 95 insertions, 57 deletions
diff --git a/sw/source/filter/ww8/wrtww8.cxx b/sw/source/filter/ww8/wrtww8.cxx index 732b8f2bbf..f657ad00fe 100644 --- a/sw/source/filter/ww8/wrtww8.cxx +++ b/sw/source/filter/ww8/wrtww8.cxx @@ -2875,10 +2875,10 @@ namespace rIn.Seek(0); sal_uInt8 in[WW_BLOCKSIZE]; - for (sal_uLong nI = 0, nBlock = 0; nI < nLen; nI += WW_BLOCKSIZE, ++nBlock) + for (sal_Size nI = 0, nBlock = 0; nI < nLen; nI += WW_BLOCKSIZE, ++nBlock) { - sal_uLong nBS = (nLen - nI > WW_BLOCKSIZE) ? WW_BLOCKSIZE : nLen - nI; - rIn.Read(in, nBS); + sal_Size nBS = (nLen - nI > WW_BLOCKSIZE) ? WW_BLOCKSIZE : nLen - nI; + nBS = rIn.Read(in, nBS); rCtx.InitCipher(nBlock); rCtx.Encode(in, nBS, in, nBS); rOut.Write(in, nBS); @@ -3510,8 +3510,9 @@ void WW8Export::RestoreMacroCmds() pStream->Seek(0); sal_uInt8 *pBuffer = new sal_uInt8[pFib->lcbCmds]; - pStream->Read(pBuffer, pFib->lcbCmds); - pTableStrm->Write(pBuffer, pFib->lcbCmds); + bool bReadOk = checkRead(*pStream, pBuffer, pFib->lcbCmds); + if (bReadOk) + pTableStrm->Write(pBuffer, pFib->lcbCmds); delete[] pBuffer; } diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx index 7d01d31bc4..492a5d3be4 100644 --- a/sw/source/filter/ww8/ww8graf.cxx +++ b/sw/source/filter/ww8/ww8graf.cxx @@ -98,7 +98,7 @@ #include <basegfx/point/b2dpoint.hxx> #include <basegfx/polygon/b2dpolygon.hxx> #include <editeng/editobj.hxx> - +#include <boost/scoped_ptr.hpp> #include <math.h> using ::editeng::SvxBorderLine; @@ -182,7 +182,11 @@ bool SwWW8ImplReader::ReadGrafStart(void* pData, short nDataSiz, pStrm->SeekRel(SVBT16ToShort(pHd->cb) - sizeof(WW8_DPHEAD)); return false; } - pStrm->Read(pData, nDataSiz); + + bool bCouldRead = checkRead(*pStrm, pData, nDataSiz); + OSL_ENSURE(bCouldRead, "Short Graphic header"); + if (!bCouldRead) + return false; RndStdIds eAnchor = (SVBT8ToByte(pDo->by) < 2) ? FLY_AT_PAGE : FLY_AT_PARA; rSet.Put(SwFmtAnchor(eAnchor)); @@ -443,20 +447,24 @@ SdrObject* SwWW8ImplReader::ReadPolyLine( WW8_DPHEAD* pHd, const WW8_DO* pDo, return 0; sal_uInt16 nCount = SVBT16ToShort( aPoly.aBits1 ) >> 1 & 0x7fff; - SVBT16 *pP = new SVBT16[nCount * 2]; - pStrm->Read( pP, nCount * 4 ); // Punkte einlesen + boost::scoped_array<SVBT16> xP(new SVBT16[nCount * 2]); + + bool bCouldRead = checkRead(*pStrm, xP.get(), nCount * 4); // Punkte einlesen + OSL_ENSURE(bCouldRead, "Short PolyLine header"); + if (!bCouldRead) + return 0; + Polygon aP( nCount ); Point aPt; - sal_uInt16 i; - - for( i=0; i<nCount; i++ ){ - aPt.X() = SVBT16ToShort( pP[i << 1] ) + nDrawXOfs2 + for (sal_uInt16 i=0; i<nCount; ++i) + { + aPt.X() = SVBT16ToShort( xP[i << 1] ) + nDrawXOfs2 + (sal_Int16)SVBT16ToShort( pHd->xa ); - aPt.Y() = SVBT16ToShort( pP[( i << 1 ) + 1] ) + nDrawYOfs2 + aPt.Y() = SVBT16ToShort( xP[( i << 1 ) + 1] ) + nDrawYOfs2 + (sal_Int16)SVBT16ToShort( pHd->ya ); aP[i] = aPt; } - delete[] pP; + xP.reset(); SdrObject* pObj = new SdrPathObj(( SVBT16ToShort( aPoly.aBits1 ) & 0x1 ) ? OBJ_POLY : OBJ_PLIN, ::basegfx::B2DPolyPolygon(aP.getB2DPolygon())); SetStdAttr( rSet, aPoly.aLnt, aPoly.aShd ); @@ -1248,10 +1256,15 @@ SdrObject* SwWW8ImplReader::ReadCaptionBox( WW8_DPHEAD* pHd, const WW8_DO* pDo, return 0; sal_uInt16 nCount = SVBT16ToShort( aCallB.dpPolyLine.aBits1 ) >> 1 & 0x7fff; - SVBT16 *pP = new SVBT16[nCount * 2]; - pStrm->Read( pP, nCount * 4 ); // Punkte einlesen + boost::scoped_array<SVBT16> xP(new SVBT16[nCount * 2]); + + bool bCouldRead = checkRead(*pStrm, xP.get(), nCount * 4); // Punkte einlesen + OSL_ENSURE(bCouldRead, "Short CaptionBox header"); + if (!bCouldRead) + return 0; + sal_uInt8 nTyp = (sal_uInt8)nCount - 1; - if( nTyp == 1 && SVBT16ToShort( pP[0] ) == SVBT16ToShort( pP[2] ) ) + if( nTyp == 1 && SVBT16ToShort( xP[0] ) == SVBT16ToShort( xP[2] ) ) nTyp = 0; Point aP0( (sal_Int16)SVBT16ToShort( pHd->xa ) + @@ -1263,11 +1276,11 @@ SdrObject* SwWW8ImplReader::ReadCaptionBox( WW8_DPHEAD* pHd, const WW8_DO* pDo, aP1.Y() += (sal_Int16)SVBT16ToShort( aCallB.dpheadTxbx.dya ); Point aP2( (sal_Int16)SVBT16ToShort( pHd->xa ) + (sal_Int16)SVBT16ToShort( aCallB.dpheadPolyLine.xa ) - + nDrawXOfs2 + (sal_Int16)SVBT16ToShort( pP[0] ), + + nDrawXOfs2 + (sal_Int16)SVBT16ToShort( xP[0] ), (sal_Int16)SVBT16ToShort( pHd->ya ) + (sal_Int16)SVBT16ToShort( aCallB.dpheadPolyLine.ya ) - + nDrawYOfs2 + (sal_Int16)SVBT16ToShort( pP[1] ) ); - delete[] pP; + + nDrawYOfs2 + (sal_Int16)SVBT16ToShort( xP[1] ) ); + xP.reset(); SdrCaptionObj* pObj = new SdrCaptionObj( Rectangle( aP0, aP1 ), aP2 ); pObj->SetModel( pDrawModel ); @@ -1334,7 +1347,13 @@ SdrObject* SwWW8ImplReader::ReadGrafPrimitive( short& rLeft, const WW8_DO* pDo, //into an object hierarachy with a little effort. SdrObject *pRet=0; WW8_DPHEAD aHd; // Lese Draw-Primitive-Header - pStrm->Read(&aHd, sizeof(WW8_DPHEAD)); + bool bCouldRead = checkRead(*pStrm, &aHd, sizeof(WW8_DPHEAD)); + OSL_ENSURE(bCouldRead, "Graphic Primitive header short read" ); + if (!bCouldRead) + { + rLeft=0; + return pRet; + } if( rLeft >= SVBT16ToShort(aHd.cb) ) // Vorsichtsmassmahme { @@ -1394,9 +1413,18 @@ void SwWW8ImplReader::ReadGrafLayer1( WW8PLCFspecial* pPF, long nGrafAnchorCp ) OSL_ENSURE( !this, "+Wo ist die Grafik (3) ?" ); return; } + + bool bCouldSeek = checkSeek(*pStrm, SVBT32ToUInt32(pF->fc)); + OSL_ENSURE(bCouldSeek, "Invalid Graphic offset"); + if (!bCouldSeek) + return; + + // Lese Draw-Header WW8_DO aDo; - pStrm->Seek( SVBT32ToUInt32( pF->fc ) ); // Lese Draw-Header - pStrm->Read( &aDo, sizeof( WW8_DO ) ); + bool bCouldRead = checkRead(*pStrm, &aDo, sizeof(WW8_DO)); + OSL_ENSURE(bCouldRead, "Short Graphic header"); + if (!bCouldRead) + return; short nLeft = SVBT16ToShort( aDo.cb ) - sizeof( WW8_DO ); while (nLeft > static_cast<short>(sizeof(WW8_DPHEAD))) diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx index 99e2fbf217..9932661f90 100644 --- a/sw/source/filter/ww8/ww8par.cxx +++ b/sw/source/filter/ww8/ww8par.cxx @@ -4136,7 +4136,7 @@ void SwWW8ImplReader::StoreMacroCmds() SvStream* pStream = ::utl::UcbStreamHelper::CreateStream( xStream ); sal_uInt8 *pBuffer = new sal_uInt8[pWwFib->lcbCmds]; - pTableStream->Read(pBuffer, pWwFib->lcbCmds); + pWwFib->lcbCmds = pTableStream->Read(pBuffer, pWwFib->lcbCmds); pStream->Write(pBuffer, pWwFib->lcbCmds); delete[] pBuffer; delete pStream; @@ -4829,7 +4829,7 @@ namespace for (sal_Size nI = 0, nBlock = 0; nI < nLen; nI += WW_BLOCKSIZE, ++nBlock) { sal_Size nBS = (nLen - nI > WW_BLOCKSIZE) ? WW_BLOCKSIZE : nLen - nI; - rIn.Read(in, nBS); + nBS = rIn.Read(in, nBS); rCtx.InitCipher(nBlock); rCtx.Decode(in, nBS, in, nBS); rOut.Write(in, nBS); @@ -4838,19 +4838,19 @@ namespace void DecryptXOR(msfilter::MSCodec_XorWord95 &rCtx, SvStream &rIn, SvStream &rOut) { - sal_uLong nSt = rIn.Tell(); + sal_Size nSt = rIn.Tell(); rIn.Seek(STREAM_SEEK_TO_END); - sal_uLong nLen = rIn.Tell(); + sal_Size nLen = rIn.Tell(); rIn.Seek(nSt); rCtx.InitCipher(); rCtx.Skip(nSt); sal_uInt8 in[0x4096]; - for (sal_uLong nI = nSt; nI < nLen; nI += 0x4096) + for (sal_Size nI = nSt; nI < nLen; nI += 0x4096) { - sal_uLong nBS = (nLen - nI > 0x4096 ) ? 0x4096 : nLen - nI; - rIn.Read(in, nBS); + sal_Size nBS = (nLen - nI > 0x4096 ) ? 0x4096 : nLen - nI; + nBS = rIn.Read(in, nBS); rCtx.Decode(in, nBS); rOut.Write(in, nBS); } @@ -5056,7 +5056,7 @@ sal_uLong SwWW8ImplReader::LoadThroughDecryption(SwPaM& rPaM ,WW8Glossary *pGlos size_t nUnencryptedHdr = (8 == pWwFib->nVersion) ? 0x44 : 0x34; sal_uInt8 *pIn = new sal_uInt8[nUnencryptedHdr]; - pStrm->Read(pIn, nUnencryptedHdr); + nUnencryptedHdr = pStrm->Read(pIn, nUnencryptedHdr); aDecryptMain.Write(pIn, nUnencryptedHdr); delete [] pIn; @@ -5087,17 +5087,20 @@ sal_uLong SwWW8ImplReader::LoadThroughDecryption(SwPaM& rPaM ,WW8Glossary *pGlos break; case RC4: { - msfilter::MSCodec_Std97 aCtx; - sal_uInt8 aDocId[ 16 ]; - pTableStream->Read(aDocId, 16); sal_uInt8 aSaltData[ 16 ]; - pTableStream->Read(aSaltData, 16); sal_uInt8 aSaltHash[ 16 ]; - pTableStream->Read(aSaltHash, 16); + bool bCouldReadHeaders = + checkRead(*pTableStream, aDocId, 16) && + checkRead(*pTableStream, aSaltData, 16) && + checkRead(*pTableStream, aSaltHash, 16); + + msfilter::MSCodec_Std97 aCtx; // if initialization has failed the EncryptionData should be empty - uno::Sequence< beans::NamedValue > aEncryptionData = InitStd97Codec( aCtx, aDocId, *pMedium ); + uno::Sequence< beans::NamedValue > aEncryptionData; + if (bCouldReadHeaders) + aEncryptionData = InitStd97Codec( aCtx, aDocId, *pMedium ); if ( aEncryptionData.getLength() && aCtx.VerifyKey( aSaltData, aSaltHash ) ) { nErrRet = 0; @@ -5105,9 +5108,9 @@ sal_uLong SwWW8ImplReader::LoadThroughDecryption(SwPaM& rPaM ,WW8Glossary *pGlos pTempMain = MakeTemp(aDecryptMain); pStrm->Seek(0); - const sal_Size nUnencryptedHdr = 0x44; + sal_Size nUnencryptedHdr = 0x44; sal_uInt8 *pIn = new sal_uInt8[nUnencryptedHdr]; - pStrm->Read(pIn, nUnencryptedHdr); + nUnencryptedHdr = pStrm->Read(pIn, nUnencryptedHdr); DecryptRC4(aCtx, *pStrm, aDecryptMain); diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx index ad0ec3c151..79e930d697 100644 --- a/sw/source/filter/ww8/ww8par2.cxx +++ b/sw/source/filter/ww8/ww8par2.cxx @@ -3694,8 +3694,7 @@ static inline short WW8SkipOdd(SvStream* pSt ) if ( pSt->Tell() & 0x1 ) { sal_uInt8 c; - pSt->Read( &c, 1 ); - return 1; + return pSt->Read( &c, 1 ); } return 0; } @@ -3705,8 +3704,7 @@ static inline short WW8SkipEven(SvStream* pSt ) if (!(pSt->Tell() & 0x1)) { sal_uInt8 c; - pSt->Read( &c, 1 ); - return 1; + return pSt->Read( &c, 1 ); } return 0; } diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx index 9870083489..578a3a609d 100644 --- a/sw/source/filter/ww8/ww8par6.cxx +++ b/sw/source/filter/ww8/ww8par6.cxx @@ -1689,10 +1689,11 @@ void WW8FlyPara::ReadFull(sal_uInt8 nOrigSp29, SwWW8ImplReader* pIo) bGrafApo = false; do{ // Block zum rausspringen - sal_uInt8 nTxt[2]; - pIoStrm->Read( nTxt, 2 ); // lies Text + if (!checkRead(*pIoStrm, nTxt, 2)) // lies Text + break; + if( nTxt[0] != 0x01 || nTxt[1] != 0x0d )// nur Grafik + CR ? break; // Nein @@ -1703,7 +1704,8 @@ void WW8FlyPara::ReadFull(sal_uInt8 nOrigSp29, SwWW8ImplReader* pIo) const sal_uInt8* pS = pPap->HasSprm( bVer67 ? 29 : 0x261B ); // Nein -> Grafik-Apo - if( !pS ){ + if (!pS) + { bGrafApo = true; break; // Ende des APO } diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 5bfd5de008..3782dfdd71 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -1541,7 +1541,7 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF ) *pStr >> nLen; nLeft -= 2 + nLen; if( nLeft < 0 ) - return 0; // schiefgegangen + return NULL; // schiefgegangen pStr->SeekRel( nLen ); // ueberlies grpprl } @@ -1564,12 +1564,16 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF ) *pStr >> nLen; nLeft -= 2 + nLen; if( nLeft < 0 ) - return 0; // schiefgegangen + return NULL; // schiefgegangen if( 1 == clxt ) // clxtGrpprl ? { sal_uInt8* p = new sal_uInt8[nLen+2]; // alloziere ShortToSVBT16(nLen, p); // trage Laenge ein - pStr->Read( p+2, nLen ); // lies grpprl + if (!checkRead(*pStr, p+2, nLen)) // lies grpprl + { + delete[] p; + return NULL; + } pPieceGrpprls[nAktGrpprl++] = p; // trage in Array ein } else @@ -2510,20 +2514,22 @@ WW8PLCFx_Fc_FKP::WW8Fkp::WW8Fkp(ww::WordVersion eVersion, SvStream* pSt, : nItemSize(nItemSiz), nFilePos(_nFilePos), mnIdx(0), ePLCF(ePl), maSprmParser(eVersion) { - long nOldPos = pSt->Tell(); - - pSt->Seek(nFilePos); memset(maRawData, 0, 512); - pSt->Read(maRawData, 512); - mnIMax = maRawData[511]; + + sal_Size nOldPos = pSt->Tell(); + + bool bCouldSeek = checkSeek(*pSt, nFilePos); + bool bCouldRead = bCouldSeek ? checkRead(*pSt, maRawData, 512) : false; + + mnIMax = bCouldRead ? maRawData[511] : 0; sal_uInt8 *pStart = maRawData; // Offset-Location in maRawData - size_t nRawDataStart = (mnIMax + 1) * 4; + const size_t nRawDataStart = (mnIMax + 1) * 4; for (mnIdx = 0; mnIdx < mnIMax; ++mnIdx) { - size_t nRawDataOffset = nRawDataStart + mnIdx * nItemSize; + const size_t nRawDataOffset = nRawDataStart + mnIdx * nItemSize; //clip to available data, corrupt fkp if (nRawDataOffset >= 511) |