Author: jim
Date: Thu Aug 3 02:24:09 2017
New Revision: 1803942
URL: http://svn.apache.org/viewvc?rev=1803942&view=rev
Log:
buffer checks
Modified:
openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx
Modified: openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx
URL:
http://svn.apache.org/viewvc/openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx?rev=1803942&r1=1803941&r2=1803942&view=diff
==============================================================================
--- openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx (original)
+++ openoffice/branches/AOO414/main/sw/source/filter/ww8/ww8scan.cxx Thu Aug 3
02:24:09 2017
@@ -6495,6 +6495,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
p->sFontname = String ( (((const sal_Char*)pVer2) + 1 + 2),
eEnc);
pVer2 = (WW8_FFN_BASE*)( ((sal_uInt8*)pVer2) + pVer2->cbFfnM1
+ 1 );
+
+ // Check that there is room for at least one
more WW8_FFN_BASE before
+ // the end of the buffer.
+ if ((sal_uInt8*)pVer2 > pA + nFFn -
sizeof(WW8_FFN_BASE)) {
+ throw std::out_of_range("WW8 beyond end
of buffer");
+ }
}
}
else if( eVersion < ww::eWW8 )
@@ -6540,6 +6546,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
}
}
pVer6 = (WW8_FFN_Ver6*)( ((sal_uInt8*)pVer6) + pVer6->cbFfnM1
+ 1 );
+
+ // Check that there is room for at least one
more WW8_FFN_Ver6 before
+ // the end of the buffer.
+ if ((sal_uInt8*)pVer6 > pA + nFFn -
sizeof(WW8_FFN_Ver6)) {
+ throw std::out_of_range("WW8 beyond end
of buffer");
+ }
}
}
else
@@ -6585,6 +6597,12 @@ WW8Fonts::WW8Fonts( SvStream& rSt, WW8Fi
// Zeiger auf Ursprungsarray einen Font nach hinten setzen
pVer8 = (WW8_FFN_Ver8*)( ((sal_uInt8*)pVer8) + pVer8->cbFfnM1
+ 1 );
+
+ // Check that there is room for at least one
more WW8_FFN_Ver8 before
+ // the end of the buffer.
+ if ((sal_uInt8*)pVer8 > pA + nFFn -
sizeof(WW8_FFN_Ver8)) {
+ throw std::out_of_range("WW8 beyond end
of buffer");
+ }
}
}
}
