Author: jim Date: Thu Aug 3 02:24:09 2017 New Revision: 1803942 URL: http://svn.apache.org/viewvc?rev=1803942&view=rev Log: buffer checks
Modified: openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx Modified: openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx URL: http://svn.apache.org/viewvc/openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx?rev=1803942&r1=1803941&r2=1803942&view=diff ============================================================================== --- openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx (original) +++ openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx Thu Aug 3 02:24:09 2017 @@ -6495,6 +6495,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi p->sFontname = String ( (((const sal_Char*)pVer2) + 1 + 2), eEnc); pVer2 = (WW8_FFN_BASE*)( ((sal_uInt8*)pVer2) + pVer2->cbFfnM1 + 1 ); + + // Check that there is room for at least one more WW8_FFN_BASE before + // the end of the buffer. + if ((sal_uInt8*)pVer2 > pA + nFFn - sizeof(WW8_FFN_BASE)) { + throw std::out_of_range("WW8 beyond end of buffer"); + } } } else if( eVersion < ww::eWW8 ) @@ -6540,6 +6546,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi } } pVer6 = (WW8_FFN_Ver6*)( ((sal_uInt8*)pVer6) + pVer6->cbFfnM1 + 1 ); + + // Check that there is room for at least one more WW8_FFN_Ver6 before + // the end of the buffer. + if ((sal_uInt8*)pVer6 > pA + nFFn - sizeof(WW8_FFN_Ver6)) { + throw std::out_of_range("WW8 beyond end of buffer"); + } } } else @@ -6585,6 +6597,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi // Zeiger auf Ursprungsarray einen Font nach hinten setzen pVer8 = (WW8_FFN_Ver8*)( ((sal_uInt8*)pVer8) + pVer8->cbFfnM1 + 1 ); + + // Check that there is room for at least one more WW8_FFN_Ver8 before + // the end of the buffer. + if ((sal_uInt8*)pVer8 > pA + nFFn - sizeof(WW8_FFN_Ver8)) { + throw std::out_of_range("WW8 beyond end of buffer"); + } } } }