diff options
author | Eike Rathke <erack@redhat.com> | 2017-11-10 10:52:19 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2017-11-27 12:55:07 +0100 |
commit | 662f502d13f5108dc471ba8e26cd92ecbe036897 (patch) | |
tree | 5f8064f81243a0c224a44c14dba354efd3b6b17b /sc/source/filter/inc | |
parent | ofz+valgrind: Conditional jump or move depends on uninitialised value (diff) | |
download | core-662f502d13f5108dc471ba8e26cd92ecbe036897.tar.gz core-662f502d13f5108dc471ba8e26cd92ecbe036897.zip |
ofz#4123 do not read past end of file
Change-Id: I1fa3543d541ea084a43a1a11f62680fa798f5647
(cherry picked from commit 78bcc5ddca186f0009124a697184f332405d3e1e)
Reviewed-on: https://gerrit.libreoffice.org/44586
Tested-by: Eike Rathke <erack@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 6ba9b72cff5a761f36b2b9b892b572bc7cb5ae18)
Diffstat (limited to 'sc/source/filter/inc')
-rw-r--r-- | sc/source/filter/inc/formel.hxx | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/sc/source/filter/inc/formel.hxx b/sc/source/filter/inc/formel.hxx index 494cd0a164ca..6c93c5a79430 100644 --- a/sc/source/filter/inc/formel.hxx +++ b/sc/source/filter/inc/formel.hxx @@ -144,31 +144,51 @@ inline void LotusConverterBase::Ignore( const long nSeekRel ) inline void LotusConverterBase::Read( sal_uInt8& nByte ) { aIn.ReadUChar( nByte ); - nBytesLeft--; + if (aIn.good()) + nBytesLeft--; + else + { + // SvStream::ReadUChar() does not init a single char on failure. This + // behaviour is even tested in a unit test. + nByte = 0; + nBytesLeft = -1; // bail out early + } } inline void LotusConverterBase::Read( sal_uInt16& nUINT16 ) { aIn.ReadUInt16( nUINT16 ); - nBytesLeft -= 2; + if (aIn.good()) + nBytesLeft -= 2; + else + nBytesLeft = -1; // bail out early } inline void LotusConverterBase::Read( sal_Int16& nINT16 ) { aIn.ReadInt16( nINT16 ); - nBytesLeft -= 2; + if (aIn.good()) + nBytesLeft -= 2; + else + nBytesLeft = -1; // bail out early } inline void LotusConverterBase::Read( double& fDouble ) { aIn.ReadDouble( fDouble ); - nBytesLeft -= 8; + if (aIn.good()) + nBytesLeft -= 8; + else + nBytesLeft = -1; // bail out early } inline void LotusConverterBase::Read( sal_uInt32& nUINT32 ) { aIn.ReadUInt32( nUINT32 ); - nBytesLeft -= 4; + if (aIn.good()) + nBytesLeft -= 4; + else + nBytesLeft = -1; // bail out early } #endif |