sw/source/filter/ww8/ww8par.hxx | 2 -
sw/source/filter/ww8/ww8par2.cxx | 47 ++++++++++++++++++++++++++++++---------
2 files changed, 38 insertions(+), 11 deletions(-)
New commits:
commit a174f52a7f6758d694d4cde5f446024e21b33d13
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sat Oct 27 19:45:34 2018 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Sun Oct 28 21:11:13 2018 +0100
ofz#11125 pass param len around
Change-Id: I4b382271df21c58de0e102af6e0b07a88a1d9610
Reviewed-on: https://gerrit.libreoffice.org/62443
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 5bee19873cb1..5cffd97a179e 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1041,7 +1041,7 @@ struct WW8TabBandDesc
static void setcelldefaults(WW8_TCell *pCells, short nCells);
void ReadDef(bool bVer67, const sal_uInt8* pS, short nLen);
void ProcessDirection(const sal_uInt8* pParams);
- void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC);
+ void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC,
sal_uInt16 nParamsLen);
void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams,
sal_uInt16 nParamsLen);
void ProcessSprmTDxaCol(const sal_uInt8* pParamsTDxaCol);
void ProcessSprmTDelete(const sal_uInt8* pParamsTDelete);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index f272fded5b5c..20be4b7357ec 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1231,11 +1231,17 @@ void WW8TabBandDesc::ReadDef(bool bVer67, const
sal_uInt8* pS, short nLen)
}
}
-void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8*
pParamsTSetBRC)
+void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8*
pParamsTSetBRC, sal_uInt16 nParamsLen)
{
if( !pParamsTSetBRC || !pTCs ) // set one or more cell border(s)
return;
+ if (nParamsLen < 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
+
sal_uInt8 nitcFirst= pParamsTSetBRC[0];// first col to be changed
sal_uInt8 nitcLim = pParamsTSetBRC[1];// (last col to be changed)+1
sal_uInt8 nFlag = *(pParamsTSetBRC+2);
@@ -1254,11 +1260,33 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer,
const sal_uInt8* pParamsTSe
WW8_TCell* pCurrentTC = pTCs + nitcFirst;
WW8_BRCVer9 brcVer9;
if( nBrcVer == 6 )
+ {
+ if (nParamsLen < sizeof(WW8_BRCVer6) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = WW8_BRCVer9(WW8_BRC(*reinterpret_cast<WW8_BRCVer6 const
*>(pParamsTSetBRC+3)));
+ }
else if( nBrcVer == 8 )
+ {
+ static_assert(sizeof (WW8_BRC) == 4, "this has to match the msword
size");
+ if (nParamsLen < sizeof(WW8_BRC) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = WW8_BRCVer9(*reinterpret_cast<WW8_BRC const
*>(pParamsTSetBRC+3));
+ }
else
+ {
+ if (nParamsLen < sizeof(WW8_BRCVer9) + 3)
+ {
+ SAL_WARN("sw.ww8", "table border property is too short");
+ return;
+ }
brcVer9 = *reinterpret_cast<WW8_BRCVer9 const *>(pParamsTSetBRC+3);
+ }
for( int i = nitcFirst; i < nitcLim; ++i, ++pCurrentTC )
{
@@ -1271,7 +1299,6 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer,
const sal_uInt8* pParamsTSe
if( bChangeRight )
pCurrentTC->rgbrc[ WW8_RIGHT ] = brcVer9;
}
-
}
void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8*
pParams, sal_uInt16 nParamsLen)
@@ -1789,7 +1816,8 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP
nStartCp) :
sal_uInt16 nTableBordersLen = 0;
const sal_uInt8* pTableBorders90 = nullptr;
sal_uInt16 nTableBorders90Len = 0;
- std::vector<const sal_uInt8*> aTSetBrcs, aTSetBrc90s;
+ // params, len
+ std::vector<std::pair<const sal_uInt8*, sal_uInt16>> aTSetBrcs,
aTSetBrc90s;
WW8_TablePos *pTabPos = nullptr;
// search end of a tab row
@@ -1892,10 +1920,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass,
WW8_CP nStartCp) :
}
break;
case sprmTSetBrc:
- aTSetBrcs.push_back(pParams); // process at end
+ aTSetBrcs.emplace_back(pParams, nLen); // process at
end
break;
case sprmTSetBrc90:
- aTSetBrc90s.push_back(pParams); // process at end
+ aTSetBrc90s.emplace_back(pParams, nLen); // process at
end
break;
case sprmTDxaCol:
pNewBand->ProcessSprmTDxaCol(pParams);
@@ -1943,11 +1971,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass,
WW8_CP nStartCp) :
else if (pTableBorders)
pNewBand->ProcessSprmTTableBorders(bOldVer ? 6 : 8,
pTableBorders, nTableBordersLen);
- std::vector<const sal_uInt8*>::const_iterator iter;
- for (iter = aTSetBrcs.begin(); iter != aTSetBrcs.end(); ++iter)
- pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, *iter);
- for (iter = aTSetBrc90s.begin(); iter != aTSetBrc90s.end(); ++iter)
- pNewBand->ProcessSprmTSetBRC(9, *iter);
+ for (const auto& a : aTSetBrcs)
+ pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, a.first,
a.second);
+ for (const auto& a : aTSetBrc90s)
+ pNewBand->ProcessSprmTSetBRC(9, a.first, a.second);
}
if( nTabeDxaNew < SHRT_MAX )
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
