review-request: Fix invalid data-pointer in the msword-filter

Sebastian Sauer Wed, 08 Jun 2011 13:38:57 -0700

Please find attached a patch that fixes bug 275204. The reason for the bug was 
that we where ending with random values cause what could work but sometimes 
didn't. The values where random cause we dealed with mem past the allocated 
number of U8-bytes.

diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
index be5a85d..903be3e 100644
--- a/filters/words/msword-odf/wv2/src/styles.cpp
+++ b/filters/words/msword-odf/wv2/src/styles.cpp
@@ -650,32 +650,40 @@ void Style::unwrapStyle( const StyleSheet& stylesheet, WordVersion version )
         }
 
         U8 *data = m_std->grupx;
-
-        // paragraph
-        U16 cbUPX = readU16( data );
-        data += 2;
-        m_properties->pap().istd = readU16( data );
-        data += 2;
-        cbUPX -= 2;
+        if (m_std->grupxLen > 0) {
+            // paragraph
+            U16 cbUPX = readU16( data );
+            if (m_std->grupxLen > 2) {
+                data += 2;
+                m_properties->pap().istd = readU16( data );
+                if (m_std->grupxLen > 4) {
+                    data += 2;
+                    cbUPX -= 2;
 #ifdef WV2_DEBUG_SPRMS
-        wvlog << "############# Applying paragraph exceptions: " << cbUPX << endl;
+                    wvlog << "############# Applying paragraph exceptions: " << cbUPX << endl;
 #endif
-        m_properties->pap().apply( data, cbUPX, parentStyle, &stylesheet, 0, version );  // try without data stream for now
-        data += cbUPX;
+                    m_properties->pap().apply( data, cbUPX, parentStyle, &stylesheet, 0, version );  // try without data stream for now
+                    if (m_std->grupxLen > cbUPX+4) {
+                        data += cbUPX;
 #ifdef WV2_DEBUG_SPRMS
-        wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
+                        wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
 #endif
-
-        // character
-        cbUPX = readU16( data );
-        data += 2;
+                        if (m_std->grupxLen > cbUPX+6) {
+                            // character
+                            U16 cbUPX2 = readU16( data );
+                            data += 2;
 #ifdef WV2_DEBUG_SPRMS
-        wvlog << "############# Applying character exceptions: " << cbUPX << endl;
+                            wvlog << "############# Applying character exceptions: " << cbUPX2 << endl;
 #endif
-        m_chp->apply( data, cbUPX, parentStyle, &stylesheet, 0, version );  // try without data stream for now
+                            m_chp->apply( data, cbUPX2, parentStyle, &stylesheet, 0, version );  // try without data stream for now
 #ifdef WV2_DEBUG_SPRMS
-        wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
+                            wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
 #endif
+                        }
+                    }
+                }
+            }
+        }
     }
     else if ( m_std->sgc == sgcChp ) {
         const Style* parentStyle = 0;

_______________________________________________
calligra-devel mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/calligra-devel

review-request: Fix invalid data-pointer in the msword-filter

Reply via email to