[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#685331: unblock: (pre-approval) src:calligra/1:2.4.3-2



On 2012-08-24 14:49, Lisandro Damián Nicanor Pérez Meyer wrote:
> +--- a/filters/words/msword-odf/wv2/src/styles.cpp
> ++++ b/filters/words/msword-odf/wv2/src/styles.cpp
> +@@ -248,6 +248,11 @@ throw(InvalidFormatException)
> + #ifdef WV2_DEBUG_STYLESHEET
> +         wvlog << "cbUPX: " << cbUPX << endl;
> + #endif
> ++        // do not overflow the allocated buffer grupx
> ++        if (offset + cbUPX > grupxLen) {
                ^^^^^^^^^^^^^^^^^^^^^^^^^

In my experience it is either

  if (offset + i < limit) { /* safe */ }

or

  if (offset + i >= limit) { /* abort */ }

Is "offset + cbUPX == grupxLen" really a "safe" index?

> ++            wvlog << "====> Error: grupx would overflow!" << endl;
> ++            return false;
> ++        }
> +         for ( U16 j = 0; j < cbUPX; ++j ) {
                             ^^^^^^^^^

This suggests it might not be...

> +             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
> + #ifdef WV2_DEBUG_STYLESHEET
> +-- 
> +1.7.10.4
> +

~Niels


Reply to: