filter/inc/filter/msfilter/msdffimp.hxx | 17 +++++++++++-- filter/source/msfilter/msdffimp.cxx | 40 +++++++++++++++++++++++++++----- 2 files changed, 48 insertions(+), 9 deletions(-)
New commits: commit e7421d2e4d6426ba9b120c52abb2a37f95207943 Author: Caolán McNamara <caol...@redhat.com> Date: Wed Dec 21 17:35:39 2011 +0100 avoid looping on busted escher records Signed-off-by: Petr Mladek <pmla...@suse.cz> diff --git a/filter/inc/filter/msfilter/msdffimp.hxx b/filter/inc/filter/msfilter/msdffimp.hxx index c1a0294..9344084 100644 --- a/filter/inc/filter/msfilter/msdffimp.hxx +++ b/filter/inc/filter/msfilter/msdffimp.hxx @@ -77,9 +77,20 @@ public: bool IsContainer() const { return nRecVer == DFF_PSFLAG_CONTAINER; } sal_uLong GetRecBegFilePos() const { return nFilePos; } sal_uLong GetRecEndFilePos() const { return nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen; } - void SeekToEndOfRecord(SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen ); } - void SeekToContent( SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE ); } - void SeekToBegOfRecord(SvStream& rIn) const { rIn.Seek( nFilePos ); } + bool SeekToEndOfRecord(SvStream& rIn) const + { + sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen; + return nPos == rIn.Seek(nPos); + } + bool SeekToContent(SvStream& rIn) const + { + sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE; + return nPos == rIn.Seek(nPos); + } + bool SeekToBegOfRecord(SvStream& rIn) const + { + return nFilePos == rIn.Seek(nFilePos); + } MSFILTER_DLLPUBLIC friend SvStream& operator>>(SvStream& rIn, DffRecordHeader& rRec); diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index aabba56..5764c66 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -156,6 +156,11 @@ using namespace container ; static sal_uInt32 nMSOleObjCntr = 0; #define MSO_OLE_Obj "MSO_OLE_Obj" +/*************************************************************************/ +bool lclGood(const SvStream &rStream) +{ + return rStream.GetError() == 0 && !rStream.IsEof(); +} /*************************************************************************/ sal_Bool Impl_OlePres::Read( SvStream & rStm ) @@ -3545,7 +3550,7 @@ sal_Bool SvxMSDffManager::SeekToShape( SvStream& rSt, void* /* pClientData */, s rSt >> aEscherF002Hd; sal_uLong nEscherF002End = aEscherF002Hd.GetRecEndFilePos(); DffRecordHeader aEscherObjListHd; - while ( rSt.Tell() < nEscherF002End ) + while (lclGood(rSt) && rSt.Tell() < nEscherF002End) { rSt >> aEscherObjListHd; if ( aEscherObjListHd.nRecVer != 0xf ) @@ -3579,9 +3584,14 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa bool bRet = sal_False; sal_uLong nFPosMerk = rSt.Tell(); // FilePos merken fuer ggf. spaetere Restauration DffRecordHeader aHd; + // make sure that we move somewhere with every iteration + sal_Size nStPos; do { + nStPos = rSt.Tell(); rSt >> aHd; + if (!lclGood(rSt)) + break; if ( aHd.nRecType == nRecId ) { if ( nSkipCount ) @@ -3596,9 +3606,13 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa } } if ( !bRet ) - aHd.SeekToEndOfRecord( rSt ); + { + bool bSeekSuccess = aHd.SeekToEndOfRecord( rSt ); + if (!bSeekSuccess) + break; + } } - while ( rSt.GetError() == 0 && rSt.Tell() < nMaxFilePos && !bRet ); + while ( lclGood(rSt) && rSt.Tell() < nMaxFilePos && rSt.Tell() != nStPos && !bRet ); if ( !bRet ) rSt.Seek( nFPosMerk ); // FilePos restaurieren return bRet; @@ -6187,10 +6201,18 @@ void SvxMSDffManager::GetFidclData( long nOffsDggL ) if ( mnIdClusters-- > 2 ) { - if ( aDggAtomHd.nRecLen == ( mnIdClusters * sizeof( FIDCL ) + 16 ) ) + const sal_Size nFIDCLsize = sizeof(sal_uInt32) * 2; + if ( aDggAtomHd.nRecLen == ( mnIdClusters * nFIDCLsize + 16 ) ) { + sal_Size nStCtrlCurr = rStCtrl.Tell(); + sal_Size nStCtrlEnd = rStCtrl.Seek(STREAM_SEEK_TO_END); + sal_Size nMaxEntriesPossible = ( nStCtrlEnd - nStCtrlCurr ) / nFIDCLsize; + rStCtrl.Seek(nStCtrlCurr); + mnIdClusters = std::min(nMaxEntriesPossible, static_cast<sal_Size>(mnIdClusters)); + mpFidcls = new FIDCL[ mnIdClusters ]; - for ( sal_uInt32 i = 0; i < mnIdClusters; i++ ) + memset(mpFidcls, 0, mnIdClusters * sizeof(FIDCL)); + for (sal_uInt32 i = 0; i < mnIdClusters; ++i) { rStCtrl >> mpFidcls[ i ].dgid >> mpFidcls[ i ].cspidCur; @@ -6989,6 +7011,8 @@ sal_Bool SvxMSDffManager::ReadCommonRecordHeader(DffRecordHeader& rRec, SvStream } +sal_uInt32 nMaxLegalRecordLength = SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE; + /* auch static */ sal_Bool SvxMSDffManager::ReadCommonRecordHeader( SvStream& rSt, sal_uInt8& rVer, @@ -7000,7 +7024,11 @@ sal_Bool SvxMSDffManager::ReadCommonRecordHeader( SvStream& rSt, rSt >> nTmp >> rFbt >> rLength; rVer = sal::static_int_cast< sal_uInt8 >(nTmp & 15); rInst = nTmp >> 4; - return rSt.GetError() == 0; + if (!lclGood(rSt)) + return false; + if (rLength > nMaxLegalRecordLength) + return false; + return true; }
_______________________________________________ Libreoffice-commits mailing list Libreoffice-commits@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits