[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - sw/source

Tue, 25 Aug 2015 00:38:40 -0700 

 sw/source/filter/ww8/ww8scan.cxx |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

New commits:
commit e90c874f521a9fe9f2a0f21eaf8b01aec775c16c
Author: Stephan Bergmann <sberg...@redhat.com>
Date:   Mon Aug 24 17:21:48 2015 +0200

    Handle zero nPLCF
    
    ...as found by ASan in CppunitTest_sw_filters_test:
    
    > Testing file:///.../sw/qa/core/data/ww6/pass/crash-1.doc:
    > ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020009382b0 
at pc 0x2b1dcb5eabac bp 0x7fffe8ccbdb0 sp 0x7fffe8ccbda8
    > READ of size 4 at 0x6020009382b0 thread T0
    >  WW8PLCF::SeekPos(int) sw/source/filter/ww8/ww8scan.cxx:2219:14
    >  WW8PLCF::WW8PLCF(SvStream&, int, int, int, int, int, int) 
sw/source/filter/ww8/ww8scan.cxx:2080:9
    >  WW8PLCFx_Fc_FKP::WW8PLCFx_Fc_FKP(SvStream*, SvStream*, SvStream*, WW8Fib 
const&, ePLCFT, int) sw/source/filter/ww8/ww8scan.cxx:2883:21
    >  WW8PLCFx_Cp_FKP::WW8PLCFx_Cp_FKP(SvStream*, SvStream*, SvStream*, 
WW8ScannerBase const&, ePLCFT) sw/source/filter/ww8/ww8scan.cxx:3088:7
    >  WW8ScannerBase::WW8ScannerBase(SvStream*, SvStream*, SvStream*, WW8Fib*) 
sw/source/filter/ww8/ww8scan.cxx:1588:20
    >  SwWW8ImplReader::CoreLoad(WW8Glossary*, SwPosition const&) 
sw/source/filter/ww8/ww8par.cxx:5022:20
    >  SwWW8ImplReader::LoadThroughDecryption(SwPaM&, WW8Glossary*) 
sw/source/filter/ww8/ww8par.cxx:5767:19
    >  SwWW8ImplReader::LoadDoc(SwPaM&, WW8Glossary*) 
sw/source/filter/ww8/ww8par.cxx:6039:19
    >  WW8Reader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString 
const&) sw/source/filter/ww8/ww8par.cxx:6157:20
    >  SwReader::Read(Reader const&) sw/source/filter/basflt/shellio.cxx:175:18
    >  SwDocShell::ConvertFrom(SfxMedium&) sw/source/uibase/app/docsh.cxx:258:22
    >  SfxObjectShell::DoLoad(SfxMedium*) sfx2/source/doc/objstor.cxx:790:23
    >  SwFiltersTest::filter(rtl::OUString const&, rtl::OUString const&, 
rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) 
sw/qa/core/filters-test.cxx:112:20
    >  SwFiltersTest::load(rtl::OUString const&, rtl::OUString const&, 
rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) 
sw/qa/core/filters-test.cxx:71:12
    >  test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString 
const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, 
SotClipboardFormatId, unsigned int, bool) 
unotest/source/cpp/filters-test.cxx:129:20
    >  test::FiltersTest::testDir(rtl::OUString const&, rtl::OUString const&, 
rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) 
unotest/source/cpp/filters-test.cxx:154:5
    >  SwFiltersTest::testCVEs() sw/qa/core/filters-test.cxx:154:5
    > 0x6020009382b1 is located 0 bytes to the right of 1-byte region 
[0x6020009382b0,0x6020009382b1)
    > allocated by thread T0 here:
    >  operator new[](unsigned long) 
/home/sbergman/clang/trunk/src/projects/compiler-rt/lib/asan/asan_new_delete.cc:64
    >  WW8PLCF::ReadPLCF(SvStream&, int, unsigned int) 
sw/source/filter/ww8/ww8scan.cxx:2091:26
    >  WW8PLCF::WW8PLCF(SvStream&, int, int, int, int, int, int) 
sw/source/filter/ww8/ww8scan.cxx:2075:9
    >  WW8PLCFx_Fc_FKP::WW8PLCFx_Fc_FKP(SvStream*, SvStream*, SvStream*, WW8Fib 
const&, ePLCFT, int) sw/source/filter/ww8/ww8scan.cxx:2883:21
    >  WW8PLCFx_Cp_FKP::WW8PLCFx_Cp_FKP(SvStream*, SvStream*, SvStream*, 
WW8ScannerBase const&, ePLCFT) sw/source/filter/ww8/ww8scan.cxx:3088:7
    >  WW8ScannerBase::WW8ScannerBase(SvStream*, SvStream*, SvStream*, WW8Fib*) 
sw/source/filter/ww8/ww8scan.cxx:1588:20
    >  SwWW8ImplReader::CoreLoad(WW8Glossary*, SwPosition const&) 
sw/source/filter/ww8/ww8par.cxx:5022:20
    >  SwWW8ImplReader::LoadThroughDecryption(SwPaM&, WW8Glossary*) 
sw/source/filter/ww8/ww8par.cxx:5767:19
    >  SwWW8ImplReader::LoadDoc(SwPaM&, WW8Glossary*) 
sw/source/filter/ww8/ww8par.cxx:6039:19
    >  WW8Reader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString 
const&) sw/source/filter/ww8/ww8par.cxx:6157:20
    >  SwReader::Read(Reader const&) sw/source/filter/basflt/shellio.cxx:175:18
    >  SwDocShell::ConvertFrom(SfxMedium&) sw/source/uibase/app/docsh.cxx:258:22
    >  SfxObjectShell::DoLoad(SfxMedium*) sfx2/source/doc/objstor.cxx:790:23
    >  SwFiltersTest::filter(rtl::OUString const&, rtl::OUString const&, 
rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) 
sw/qa/core/filters-test.cxx:112:20
    >  SwFiltersTest::load(rtl::OUString const&, rtl::OUString const&, 
rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) 
sw/qa/core/filters-test.cxx:71:12
    >  test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString 
const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, 
SotClipboardFormatId, unsigned int, bool) 
unotest/source/cpp/filters-test.cxx:129:20
    >  test::FiltersTest::testDir(rtl::OUString const&, rtl::OUString const&, 
rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) 
unotest/source/cpp/filters-test.cxx:154:5
    >  SwFiltersTest::testCVEs() sw/qa/core/filters-test.cxx:154:5
    
    Change-Id: I97d995aad621b829b6fb6ee4622d386fec0bedea
    Reviewed-on: https://gerrit.libreoffice.org/17963
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit 1a871f9de6b23730e26fc6e4196723f67704ac8d)
    Reviewed-on: https://gerrit.libreoffice.org/17967
    Reviewed-by: David Tardon <dtar...@redhat.com>
    Tested-by: David Tardon <dtar...@redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 21a74b1..312abf4 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -2107,7 +2107,8 @@ WW8PLCF::WW8PLCF(SvStream& rSt, WW8_FC nFilePos, 
sal_Int32 nPLCF, int nStruct,
 void WW8PLCF::ReadPLCF(SvStream& rSt, WW8_FC nFilePos, sal_uInt32 nPLCF)
 {
     sal_Size nOldPos = rSt.Tell();
-    bool bValid = checkSeek(rSt, nFilePos) && (rSt.remainingSize() >= nPLCF);
+    bool bValid = nPLCF != 0 && checkSeek(rSt, nFilePos)
+        && (rSt.remainingSize() >= nPLCF);
 
     if (bValid)
     {

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to