From f7ffc93bf6f2693454c7ac5fdaff06b1caa63a6e Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 16 Nov 2017 12:10:10 +0000
Subject: ofz: limit depth of hwp parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Iba38cdea1fa9f3df4340988184adb1e8058ae931
Reviewed-on: https://gerrit.libreoffice.org/44816
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 hwpfilter/source/hpara.cxx   |  3 +++
 hwpfilter/source/hwpfile.cxx |  1 +
 hwpfilter/source/hwpfile.h   | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+)

(limited to 'hwpfilter')

diff --git a/hwpfilter/source/hpara.cxx b/hwpfilter/source/hpara.cxx
index 7739b9cd0a85..79fd93145ad8 100644
--- a/hwpfilter/source/hpara.cxx
+++ b/hwpfilter/source/hpara.cxx
@@ -87,6 +87,9 @@ HWPPara::~HWPPara()
 
 bool HWPPara::Read(HWPFile & hwpf, unsigned char flag)
 {
+    DepthGuard aGuard(hwpf);
+    if (aGuard.toodeep())
+        return false;
     int ii;
     scflag = flag;
 // Paragraph Information
diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx
index 69653f162f6d..128be0caa7af 100644
--- a/hwpfilter/source/hwpfile.cxx
+++ b/hwpfilter/source/hwpfile.cxx
@@ -50,6 +50,7 @@ HWPFile::HWPFile()
     , info_block_len(0)
     , error_code(HWP_NoError)
     , oledata(nullptr)
+    , readdepth(0)
     , m_nCurrentPage(1)
     , m_nMaxSettedPage(0)
     , hiodev(nullptr)
diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h
index 83bf28860f9b..470fa2bdfd41 100644
--- a/hwpfilter/source/hwpfile.h
+++ b/hwpfilter/source/hwpfile.h
@@ -275,6 +275,7 @@ class DLLEXPORT HWPFile
         int   error_code;
         OlePicture *oledata;
         unsigned char scratch[SAL_MAX_UINT16];
+        int readdepth;
 
     private:
 /* hwp 파일 이름 */
@@ -310,6 +311,26 @@ class DLLEXPORT HWPFile
         friend HWPFile *SetCurrentDoc(HWPFile *);
 };
 
+class DLLEXPORT DepthGuard
+{
+private:
+    HWPFile& m_rFile;
+public:
+    DepthGuard(HWPFile &rFile)
+        : m_rFile(rFile)
+    {
+        ++m_rFile.readdepth;
+    }
+    bool toodeep() const
+    {
+        return m_rFile.readdepth == 1024;
+    }
+    ~DepthGuard()
+    {
+        --m_rFile.readdepth;
+    }
+};
+
 HWPFile *GetCurrentDoc(void);
 HWPFile *SetCurrentDoc(HWPFile *hwpfp);
 #endif // INCLUDED_HWPFILTER_SOURCE_HWPFILE_H
-- 
cgit