diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2020-10-18 20:36:16 +0100 |
|---|---|---|
| committer | Thorsten Behrens <thorsten.behrens@allotropia.de> | 2021-04-09 23:22:07 +0200 |
| commit | 4cea2f6217f2279b673d666d58e9e7010915d04a (patch) | |
| tree | 3cab47c339b9c22c4aadea909b9b2270f1adb5d9 | |
| parent | ofz#25881 use std::vector with bounds checking accessor (diff) | |
| download | core-4cea2f6217f2279b673d666d58e9e7010915d04a.tar.gz core-4cea2f6217f2279b673d666d58e9e7010915d04a.zip | |
ofz#26480 validate WW8PLCFpcd is sorted like WW8PLCF does
Change-Id: I11393c730986585aeea229ebeec6417e4a0578d9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/104510
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 7f55db80c6fe42c162bbf51404e638a66b6ae9ab)
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 37 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.hxx | 6 |
2 files changed, 30 insertions, 13 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 8d6e42303503..53f7cd84d4e2 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -2334,26 +2334,40 @@ void WW8PLCF::ReadPLCF(SvStream& rSt, WW8_FC nFilePos, sal_uInt32 nPLCF) void WW8PLCF::MakeFailedPLCF() { nIMax = 0; - pPLCF_PosArray.reset( new sal_Int32[2] ); + pPLCF_PosArray.reset( new WW8_CP[2] ); pPLCF_PosArray[0] = pPLCF_PosArray[1] = WW8_CP_MAX; pPLCF_Contents = reinterpret_cast<sal_uInt8*>(&pPLCF_PosArray[nIMax + 1]); } -void WW8PLCF::TruncToSortedRange() +namespace { - //Docs state that: ... all Plcs ... are sorted in ascending order. - //So ensure that here for broken documents. - for (auto nI = 0; nI < nIMax; ++nI) + sal_Int32 TruncToSortedRange(const sal_Int32* pPLCF_PosArray, sal_Int32 nIMax) { - if (pPLCF_PosArray[nI] > pPLCF_PosArray[nI+1]) + //Docs state that: ... all Plcs ... are sorted in ascending order. + //So ensure that here for broken documents. + for (auto nI = 0; nI < nIMax; ++nI) { - SAL_WARN("sw.ww8", "Document has unsorted PLCF, truncated to sorted portion"); - nIMax = nI; - break; + if (pPLCF_PosArray[nI] > pPLCF_PosArray[nI+1]) + { + SAL_WARN("sw.ww8", "Document has unsorted PLCF, truncated to sorted portion"); + nIMax = nI; + break; + } } + return nIMax; } } +void WW8PLCFpcd::TruncToSortedRange() +{ + nIMax = ::TruncToSortedRange(pPLCF_PosArray.get(), nIMax); +} + +void WW8PLCF::TruncToSortedRange() +{ + nIMax = ::TruncToSortedRange(pPLCF_PosArray.get(), nIMax); +} + void WW8PLCF::GeneratePLCF(SvStream& rSt, sal_Int32 nPN, sal_Int32 ncpN) { OSL_ENSURE( nIMax < ncpN, "Pcl.Fkp: Why is PLCF too big?" ); @@ -2375,7 +2389,7 @@ void WW8PLCF::GeneratePLCF(SvStream& rSt, sal_Int32 nPN, sal_Int32 ncpN) { size_t nSiz = (4 + nStru) * nIMax + 4; size_t nElems = ( nSiz + 3 ) / 4; - pPLCF_PosArray.reset( new sal_Int32[ nElems ] ); // Pointer to Pos-array + pPLCF_PosArray.reset( new WW8_CP[ nElems ] ); // Pointer to Pos-array for (sal_Int32 i = 0; i < ncpN && !failure; ++i) { @@ -2509,7 +2523,7 @@ WW8PLCFpcd::WW8PLCFpcd(SvStream* pSt, sal_uInt32 nFilePos, bValid = false; nPLCF = bValid ? std::min(nRemainingSize, static_cast<std::size_t>(nPLCF)) : nValidMin; - pPLCF_PosArray.reset( new sal_Int32[ ( nPLCF + 3 ) / 4 ] ); // Pointer to Pos-array + pPLCF_PosArray.reset( new WW8_CP[ ( nPLCF + 3 ) / 4 ] ); // Pointer to Pos-array pPLCF_PosArray[0] = 0; nPLCF = bValid ? pSt->ReadBytes(pPLCF_PosArray.get(), nPLCF) : nValidMin; @@ -2523,6 +2537,7 @@ WW8PLCFpcd::WW8PLCFpcd(SvStream* pSt, sal_uInt32 nFilePos, // Pointer to content array pPLCF_Contents = reinterpret_cast<sal_uInt8*>(&pPLCF_PosArray[nIMax + 1]); + TruncToSortedRange(); pSt->Seek( nOldPos ); } diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx index 1c1d9d148476..45454a6d3187 100644 --- a/sw/source/filter/ww8/ww8scan.hxx +++ b/sw/source/filter/ww8/ww8scan.hxx @@ -346,14 +346,16 @@ class WW8PLCFpcd { friend class WW8PLCFpcd_Iter; - std::unique_ptr<sal_Int32[]> pPLCF_PosArray; // pointer to Pos-array and the whole structure + std::unique_ptr<WW8_CP[]> pPLCF_PosArray; // pointer to Pos-array and the whole structure sal_uInt8* pPLCF_Contents; // pointer to content-array-part of Pos-array - long nIMax; + sal_Int32 nIMax; sal_uInt32 nStru; WW8PLCFpcd(const WW8PLCFpcd&) = delete; WW8PLCFpcd& operator=(const WW8PLCFpcd&) = delete; + void TruncToSortedRange(); + public: WW8PLCFpcd(SvStream* pSt, sal_uInt32 nFilePos, sal_uInt32 nPLCF, sal_uInt32 nStruct); |