On Wednesday 08 June 2011 22:37:13 Sebastian Sauer wrote:
> Please find attached a patch that fixes bug 275204. The reason for the bug
> was that we where ending with random values cause what could work but
> sometimes didn't. The values where random cause we dealed with mem past
> the allocated number of U8-bytes.
Seems the previous patch wasn't correct / wasn't enough to fix the problem.
Please find attached an updated patch that tries to make sure that we never
end outside of the UPX-boundaries by not trusting cbUPX to have the correct
value and limit it additionally to the U8* data-size the UPX is in.
In the last 30 minutes of loading the doc attached to bug 275204 I was at
least not able to produce the problem any longer with the attached patch. But
then since it's a rather random problem...
Even after studying the msdoc-binary specs for a longer time I am still not
sure why that is so. Either the producer of that doc attached to bug 275204
just produced garbage or we are missing something. Following sentence from the
specs seems to match;
[quote]
Each UPX stored in a file is not a complete UPX, rather it is a UPX
with all trailing zero bytes lopped off, and preceded by a ushort
length field. So it is stored like:
Field Size Comment
cbUPX 2 bytes size of the
following UPX structure
UPX (cbUPX) Nonzero prefix of a
UPX structure
Each UPX begins on an even-byte offset within the STD, even if the
length of the previous UPX (cbUPX) was odd.
[/quote]
So,
1) can "with all trailing zero bytes lopped" maybe mean that cbUPX does not
really define that exact size of bytes in the stream but the size of the
produced UPX structure which can be different thanks to the trailing zero
bytes lopped or
2) are we probably not handling the even-byte case correct and therefore earn
garbage sometimes?
diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
index be5a85d..d06b717 100644
--- a/filters/words/msword-odf/wv2/src/styles.cpp
+++ b/filters/words/msword-odf/wv2/src/styles.cpp
@@ -649,33 +649,41 @@ void Style::unwrapStyle( const StyleSheet& stylesheet, WordVersion version )
}
}
- U8 *data = m_std->grupx;
-
- // paragraph
- U16 cbUPX = readU16( data );
- data += 2;
- m_properties->pap().istd = readU16( data );
- data += 2;
- cbUPX -= 2;
+ if (m_std->grupxLen >= 4) {
+ U8 *data = m_std->grupx;
+
+ // paragraph
+ U16 cbUPX = readU16( data );
+ data += 2;
+ m_properties->pap().istd = readU16( data );
+ data += 2;
+ cbUPX -= 2;
+ cbUPX = qMin(cbUPX, U16(m_std->grupxLen - 4));
#ifdef WV2_DEBUG_SPRMS
- wvlog << "############# Applying paragraph exceptions: " << cbUPX << endl;
+ wvlog << "############# Applying paragraph exceptions: " << cbUPX << endl;
#endif
- m_properties->pap().apply( data, cbUPX, parentStyle, &stylesheet, 0, version ); // try without data stream for now
- data += cbUPX;
+ m_properties->pap().apply( data, cbUPX, parentStyle, &stylesheet, 0, version ); // try without data stream for now
#ifdef WV2_DEBUG_SPRMS
- wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
+ wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
#endif
- // character
- cbUPX = readU16( data );
- data += 2;
+ U16 datapos = 4 + cbUPX + 2;
+ if (m_std->grupxLen >= datapos) {
+ data += cbUPX;
+
+ // character
+ cbUPX = readU16( data );
+ data += 2;
+ cbUPX = qMin(cbUPX, U16(m_std->grupxLen - datapos));
#ifdef WV2_DEBUG_SPRMS
- wvlog << "############# Applying character exceptions: " << cbUPX << endl;
+ wvlog << "############# Applying character exceptions: " << cbUPX << endl;
#endif
- m_chp->apply( data, cbUPX, parentStyle, &stylesheet, 0, version ); // try without data stream for now
+ m_chp->apply( data, cbUPX, parentStyle, &stylesheet, 0, version ); // try without data stream for now
#ifdef WV2_DEBUG_SPRMS
- wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
+ wvlog << "############# done" << "[" << name().ascii() << "]" << endl;
#endif
+ }
+ }
}
else if ( m_std->sgc == sgcChp ) {
const Style* parentStyle = 0;
_______________________________________________
calligra-devel mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/calligra-devel
