diff options
| -rw-r--r-- | filter/source/msfilter/msdffimp.cxx | 6 | ||||
| -rw-r--r-- | svx/inc/svx/msdffdef.hxx | 3 |
2 files changed, 6 insertions, 3 deletions
diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index 8f25ac828f30..5871da971ef9 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -3422,6 +3422,8 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa rSt >> aHd; if (!rSt.good()) break; + if (aHd.nRecLen > nMaxLegalDffRecordLength) + break; if ( aHd.nRecType == nRecId ) { if ( nSkipCount ) @@ -6818,8 +6820,6 @@ bool SvxMSDffManager::ReadCommonRecordHeader(DffRecordHeader& rRec, rRec.nRecInstance, rRec.nRecType, rRec.nRecLen); } -sal_uInt32 nMaxLegalRecordLength = SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE; - /* also static */ bool SvxMSDffManager::ReadCommonRecordHeader(SvStream& rSt, sal_uInt8& rVer, sal_uInt16& rInst, sal_uInt16& rFbt, sal_uInt32& rLength) @@ -6830,7 +6830,7 @@ bool SvxMSDffManager::ReadCommonRecordHeader(SvStream& rSt, rInst = nTmp >> 4; if (!rSt.good()) return false; - if (rLength > nMaxLegalRecordLength) + if (rLength > nMaxLegalDffRecordLength) return false; return true; } diff --git a/svx/inc/svx/msdffdef.hxx b/svx/inc/svx/msdffdef.hxx index 42acdbb83233..016197f83dc4 100644 --- a/svx/inc/svx/msdffdef.hxx +++ b/svx/inc/svx/msdffdef.hxx @@ -37,6 +37,9 @@ #define DFF_COMMON_RECORD_HEADER_SIZE 8 +const sal_uInt32 nMaxLegalDffRecordLength = \ + SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE; + #define DFF_PSFLAG_CONTAINER 0x0F // If the version field of a record // header takes on this value, the // record header marks the start of |