sw/source/filter/html/htmltab.cxx | 21 +++++++++++++++++++++
sw/source/filter/xml/xmltbli.cxx | 28 ++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
New commits:
commit 0628693eaf056fedf4d82be8f58f0b87ab7dc20b
Author: Michael Stahl <mst...@redhat.com>
Date: Thu Jan 25 13:20:55 2018 +0100
sw: try to limit rowspan/colspan attributes a bit
Not sure what would be a reasonable maximum, but this should at least
limit fuzzing to 64k cells at a time.
Change-Id: I03c8f828be7ca2d5caeb1f318b55e25ab3f528ef
Reviewed-on: https://gerrit.libreoffice.org/48589
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Thorsten Behrens <thorsten.behr...@cib.de>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sw/source/filter/html/htmltab.cxx
b/sw/source/filter/html/htmltab.cxx
index 178121062d1a..b80020e80e8a 100644
--- a/sw/source/filter/html/htmltab.cxx
+++ b/sw/source/filter/html/htmltab.cxx
@@ -30,6 +30,7 @@
#include <editeng/lrspitem.hxx>
#include <editeng/formatbreakitem.hxx>
#include <editeng/spltitem.hxx>
+#include <unotools/configmgr.hxx>
#include <svtools/htmltokn.h>
#include <svtools/htmlkywd.hxx>
#include <svl/urihelper.hxx>
@@ -2857,9 +2858,19 @@ CellSaveStruct::CellSaveStruct( SwHTMLParser& rParser,
HTMLTable const *pCurTabl
break;
case HtmlOptionId::COLSPAN:
m_nColSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+ if (m_nColSpan > 256)
+ {
+ SAL_INFO("sw.html", "ignoring huge COLSPAN " <<
m_nColSpan);
+ m_nColSpan = 1;
+ }
break;
case HtmlOptionId::ROWSPAN:
m_nRowSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+ if (m_nRowSpan > 8192 || (m_nRowSpan > 256 &&
utl::ConfigManager::IsFuzzing()))
+ {
+ SAL_INFO("sw.html", "ignoring huge ROWSPAN " <<
m_nRowSpan);
+ m_nRowSpan = 1;
+ }
break;
case HtmlOptionId::ALIGN:
m_eAdjust = rOption.GetEnum( aHTMLPAlignTable, m_eAdjust );
@@ -4265,6 +4276,11 @@ void SwHTMLParser::BuildTableColGroup( HTMLTable
*pCurTable,
break;
case HtmlOptionId::SPAN:
pSaveStruct->nColGrpSpan =
static_cast<sal_uInt16>(rOption.GetNumber());
+ if (pSaveStruct->nColGrpSpan > 256)
+ {
+ SAL_INFO("sw.html", "ignoring huge SPAN " <<
pSaveStruct->nColGrpSpan);
+ pSaveStruct->nColGrpSpan = 1;
+ }
break;
case HtmlOptionId::WIDTH:
pSaveStruct->nColGrpWidth =
static_cast<sal_uInt16>(rOption.GetNumber());
@@ -4347,6 +4363,11 @@ void SwHTMLParser::BuildTableColGroup( HTMLTable
*pCurTable,
break;
case HtmlOptionId::SPAN:
nColSpan =
static_cast<sal_uInt16>(rOption.GetNumber());
+ if (nColSpan > 256)
+ {
+ SAL_INFO("sw.html", "ignoring huge SPAN " <<
nColSpan);
+ nColSpan = 1;
+ }
break;
case HtmlOptionId::WIDTH:
nColWidth =
static_cast<sal_uInt16>(rOption.GetNumber());
diff --git a/sw/source/filter/xml/xmltbli.cxx b/sw/source/filter/xml/xmltbli.cxx
index 1ec745d907ce..bb4e532b8e37 100644
--- a/sw/source/filter/xml/xmltbli.cxx
+++ b/sw/source/filter/xml/xmltbli.cxx
@@ -27,6 +27,7 @@
#include <svl/itemset.hxx>
#include <svl/zformat.hxx>
#include <sax/tools/converter.hxx>
+#include <unotools/configmgr.hxx>
#include <xmloff/xmlnmspe.hxx>
#include <xmloff/xmltkmap.hxx>
#include <xmloff/nmspmap.hxx>
@@ -471,12 +472,27 @@ SwXMLTableCellContext_Impl::SwXMLTableCellContext_Impl(
break;
case XML_TOK_TABLE_NUM_COLS_SPANNED:
nColSpan = static_cast<sal_uInt32>(std::max<sal_Int32>(1,
rValue.toInt32()));
+ if (nColSpan > 256)
+ {
+ SAL_INFO("sw.xml", "ignoring huge table:number-columns-spanned
" << nColSpan);
+ nColSpan = 1;
+ }
break;
case XML_TOK_TABLE_NUM_ROWS_SPANNED:
nRowSpan = static_cast<sal_uInt32>(std::max<sal_Int32>(1,
rValue.toInt32()));
+ if (nRowSpan > 8192 || (nRowSpan > 256 &&
utl::ConfigManager::IsFuzzing()))
+ {
+ SAL_INFO("sw.xml", "ignoring huge table:number-rows-spanned "
<< nRowSpan);
+ nRowSpan = 1;
+ }
break;
case XML_TOK_TABLE_NUM_COLS_REPEATED:
nColRepeat = static_cast<sal_uInt32>(std::max<sal_Int32>(1,
rValue.toInt32()));
+ if (nColRepeat > 256)
+ {
+ SAL_INFO("sw.xml", "ignoring huge
table:number-columns-repeated " << nColRepeat);
+ nColRepeat = 1;
+ }
break;
case XML_TOK_TABLE_FORMULA:
{
@@ -751,7 +767,14 @@ SwXMLTableColContext_Impl::SwXMLTableColContext_Impl(
if( IsXMLToken( aLocalName, XML_STYLE_NAME ) )
aStyleName = rValue;
else if( IsXMLToken( aLocalName, XML_NUMBER_COLUMNS_REPEATED ) )
+ {
nColRep = static_cast<sal_uInt32>(std::max<sal_Int32>(1,
rValue.toInt32()));
+ if (nColRep > 256)
+ {
+ SAL_INFO("sw.xml", "ignoring huge
table:number-columns-repeated " << nColRep);
+ nColRep = 1;
+ }
+ }
else if( IsXMLToken( aLocalName, XML_DEFAULT_CELL_STYLE_NAME ) )
aDfltCellStyleName = rValue;
}
@@ -892,6 +915,11 @@ SwXMLTableRowContext_Impl::SwXMLTableRowContext_Impl(
SwXMLImport& rImport,
else if( IsXMLToken( aLocalName, XML_NUMBER_ROWS_REPEATED ) )
{
nRowRepeat = static_cast<sal_uInt32>(std::max<sal_Int32>(1,
rValue.toInt32()));
+ if (nRowRepeat > 8192 || (nRowRepeat > 256 &&
utl::ConfigManager::IsFuzzing()))
+ {
+ SAL_INFO("sw.xml", "ignoring huge
table:number-rows-repeated " << nRowRepeat);
+ nRowRepeat = 1;
+ }
}
else if( IsXMLToken( aLocalName, XML_DEFAULT_CELL_STYLE_NAME ) )
{
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
