Author: jim
Date: Fri Aug 11 10:49:41 2017
New Revision: 1804772

URL: http://svn.apache.org/viewvc?rev=1804772&view=rev
Log:
Better bounds checking

Modified:
    openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx

Modified: openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx
URL: 
http://svn.apache.org/viewvc/openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx?rev=1804772&r1=1804771&r2=1804772&view=diff
==============================================================================
--- openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx (original)
+++ openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx Fri Aug 11 
10:49:41 2017
@@ -6467,6 +6467,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
 
     if( nMax )
     {
+        // Check size consistency
+        if(nMax > nFFn)
+        {
+                       throw std::out_of_range("WW8 beyond end of buffer");    
        
+        }
+
         // allocate Index Array
         pFontA = new WW8_FFN[ nMax ];
         p = pFontA;
@@ -6495,12 +6501,6 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
 
                 p->sFontname = String ( (((const sal_Char*)pVer2) + 1 + 2), 
eEnc);
                 pVer2 = (WW8_FFN_BASE*)( ((sal_uInt8*)pVer2) + pVer2->cbFfnM1 
+ 1 );
-
-                               // Check that there is room for at least one 
more WW8_FFN_BASE before
-                               // the end of the buffer.
-                               if ((sal_uInt8*)pVer2 > pA + nFFn - 
sizeof(WW8_FFN_BASE)) {
-                                       throw std::out_of_range("WW8 beyond end 
of buffer");
-                               }
             }
        }
         else if( eVersion < ww::eWW8 )
@@ -6546,12 +6546,6 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
                     }
                 }
                 pVer6 = (WW8_FFN_Ver6*)( ((sal_uInt8*)pVer6) + pVer6->cbFfnM1 
+ 1 );
-
-                               // Check that there is room for at least one 
more WW8_FFN_Ver6 before
-                               // the end of the buffer.
-                               if ((sal_uInt8*)pVer6 > pA + nFFn - 
sizeof(WW8_FFN_Ver6)) {
-                                       throw std::out_of_range("WW8 beyond end 
of buffer");
-                               }
             }
         }
         else
@@ -6598,11 +6592,6 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
                 // Zeiger auf Ursprungsarray einen Font nach hinten setzen
                 pVer8 = (WW8_FFN_Ver8*)( ((sal_uInt8*)pVer8) + pVer8->cbFfnM1 
+ 1 );
 
-                               // Check that there is room for at least one 
more WW8_FFN_Ver8 before
-                               // the end of the buffer.
-                               if ((sal_uInt8*)pVer8 > pA + nFFn - 
sizeof(WW8_FFN_Ver8)) {
-                                       throw std::out_of_range("WW8 beyond end 
of buffer");
-                               }
             }
         }
     }


Reply via email to