diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-08-28 14:33:05 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2015-08-31 15:12:05 +0200 |
| commit | 53e6788f1ca9bf61715b40f1313d949a3d3151a1 (patch) | |
| tree | ee7eb472fb059d2c9d65369ea74dae910ad2cf72 | |
| parent | check seeks and reads (diff) | |
| download | core-53e6788f1ca9bf61715b40f1313d949a3d3151a1.tar.gz core-53e6788f1ca9bf61715b40f1313d949a3d3151a1.zip | |
guard against 0 item size
Change-Id: I9c4c2f0fe2d892615b3c70e08da0cab6da13338a
(cherry picked from commit 2aadad1e89e96cb80c15fe1069cb6365f0cade1d)
Reviewed-on: https://gerrit.libreoffice.org/18113
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: David Tardon <dtardon@redhat.com>
| -rw-r--r-- | sd/qa/unit/data/ppt/pass/crash-2.ppt | bin | 0 -> 7680 bytes | |||
| -rw-r--r-- | sd/source/filter/ppt/propread.cxx | 11 |
2 files changed, 9 insertions, 2 deletions
diff --git a/sd/qa/unit/data/ppt/pass/crash-2.ppt b/sd/qa/unit/data/ppt/pass/crash-2.ppt Binary files differnew file mode 100644 index 000000000000..78a4da4660d8 --- /dev/null +++ b/sd/qa/unit/data/ppt/pass/crash-2.ppt diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx index 4f2e37ba07e3..be288c84d58f 100644 --- a/sd/source/filter/ppt/propread.cxx +++ b/sd/source/filter/ppt/propread.cxx @@ -93,7 +93,7 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) { case VT_LPSTR : { - if ( nItemSize ) + if (nItemSize) { auto nMaxSizePossible = remainingSize(); if (nItemSize > nMaxSizePossible) @@ -101,6 +101,10 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) SAL_WARN("sd.filter", "String of Len " << nItemSize << " claimed, only " << nMaxSizePossible << " possible"); nItemSize = nMaxSizePossible; } + } + + if (nItemSize) + { try { sal_Char* pString = new sal_Char[ nItemSize ]; @@ -144,7 +148,7 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) case VT_LPWSTR : { - if ( nItemSize ) + if (nItemSize) { auto nMaxSizePossible = remainingSize() / sizeof(sal_Unicode); if (nItemSize > nMaxSizePossible) @@ -152,7 +156,10 @@ bool PropItem::Read( OUString& rString, sal_uInt32 nStringType, bool bAlign ) SAL_WARN("sd.filter", "String of Len " << nItemSize << " claimed, only " << nMaxSizePossible << " possible"); nItemSize = nMaxSizePossible; } + } + if (nItemSize) + { try { sal_Unicode* pString = new sal_Unicode[ nItemSize ]; |