sw/source/filter/ww8/ww8par.hxx | 2 +- sw/source/filter/ww8/ww8par5.cxx | 6 +++--- sw/source/filter/ww8/ww8scan.cxx | 24 ++++++++++++++++++++++-- sw/source/filter/ww8/ww8scan.hxx | 6 +++--- 4 files changed, 29 insertions(+), 9 deletions(-)
New commits: commit dfe797e8a54f49270f25043dda5fdd95d8fbc4ff Author: Caolán McNamara <caol...@redhat.com> Date: Sat Mar 17 17:44:35 2018 +0000 ofz#6990 Integer-overflow Change-Id: Ie6a29b44c3b8fb984801d6bc36eb60f45d2f00d4 Reviewed-on: https://gerrit.libreoffice.org/51467 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx index 1460083b85eb..a7153844ec71 100644 --- a/sw/source/filter/ww8/ww8par.hxx +++ b/sw/source/filter/ww8/ww8par.hxx @@ -1617,7 +1617,7 @@ private: void MakeTagString( OUString& rStr, const OUString& rOrg ); void UpdateFields(); OUString ConvertFFileName(const OUString& rRaw); - long Read_F_Tag( WW8FieldDesc* pF ); + WW8_CP Read_F_Tag(WW8FieldDesc* pF); void InsertTagField( const sal_uInt16 nId, const OUString& rTagText ); long ImportExtSprm(WW8PLCFManResult* pRes); void EndExtSprm(sal_uInt16 nSprmId); diff --git a/sw/source/filter/ww8/ww8par5.cxx b/sw/source/filter/ww8/ww8par5.cxx index 82b4c2b8c2ec..f47be7dcfcda 100644 --- a/sw/source/filter/ww8/ww8par5.cxx +++ b/sw/source/filter/ww8/ww8par5.cxx @@ -1131,12 +1131,12 @@ void SwWW8ImplReader::InsertTagField( const sal_uInt16 nId, const OUString& rTag } } -long SwWW8ImplReader::Read_F_Tag( WW8FieldDesc* pF ) +WW8_CP SwWW8ImplReader::Read_F_Tag( WW8FieldDesc* pF ) { long nOldPos = m_pStrm->Tell(); WW8_CP nStart = pF->nSCode - 1; // starting with 0x19 - long nL = pF->nLen; // Total length with result and nest + WW8_CP nL = pF->nLen; // Total length with result and nest if( nL > MAX_FIELDLEN ) nL = MAX_FIELDLEN; // MaxLength, by quoting // max. 4 times as big @@ -1196,7 +1196,7 @@ OUString SwWW8ImplReader::GetFieldResult( WW8FieldDesc const * pF ) long nOldPos = m_pStrm->Tell(); WW8_CP nStart = pF->nSRes; // result start - long nL = pF->nLRes; // result length + WW8_CP nL = pF->nLRes; // result length if( !nL ) return OUString(); // no result diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index f6b4a84a3a8f..3f7565a1885b 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -1994,13 +1994,33 @@ static bool WW8GetFieldPara(WW8PLCFspecial& rPLCF, WW8FieldDesc& rF) if (!rPLCF.Get(rF.nLRes, pData) || rF.nLRes < 0) goto Err; } - rF.nLen = rF.nLRes - rF.nSCode + 2; // nLRes is still the final position + WW8_CP nTmp; + if (o3tl::checked_sub<WW8_CP>(rF.nLRes, rF.nSCode, nTmp)) + { + rF.nLen = 0; + goto Err; + } + if (o3tl::checked_add<WW8_CP>(nTmp, 2, rF.nLen)) // nLRes is still the final position + { + rF.nLen = 0; + goto Err; + } rF.nLRes -= rF.nSRes; // now: nLRes = length rF.nSRes++; // Endpos including Markers rF.nLRes--; }else{ rF.nLRes = 0; // no result found - rF.nLen = rF.nSRes - rF.nSCode + 2; // total length + WW8_CP nTmp; + if (o3tl::checked_sub<WW8_CP>(rF.nSRes, rF.nSCode, nTmp)) + { + rF.nLen = 0; + goto Err; + } + if (o3tl::checked_add<WW8_CP>(nTmp, 2, rF.nLen)) // total length + { + rF.nLen = 0; + goto Err; + } } if (rF.nLen < 0) diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx index fbaae0131eae..c9216ed1cbe6 100644 --- a/sw/source/filter/ww8/ww8scan.hxx +++ b/sw/source/filter/ww8/ww8scan.hxx @@ -194,13 +194,13 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen struct WW8FieldDesc { - long nLen; ///< total length (to skip over text) + WW8_CP nLen; ///< total length (to skip over text) WW8_CP nSCode; ///< start of instructions code WW8_CP nLCode; ///< length WW8_CP nSRes; ///< start of result WW8_CP nLRes; ///< length ( == 0, if no result ) - sal_uInt16 nId; ///< WW-id for fields - sal_uInt8 nOpt; ///< WW-Flags ( e.g.: changed by user ) + sal_uInt16 nId; ///< WW-id for fields + sal_uInt8 nOpt; ///< WW-Flags ( e.g.: changed by user ) bool bCodeNest:1; ///< instruction used recursively bool bResNest:1; ///< instruction inserted into result }; _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits