From koffice-devel Sat Aug 24 10:03:28 2002 From: Ariya Hidayat Date: Sat, 24 Aug 2002 10:03:28 +0000 To: koffice-devel Subject: patch to fix bug #46352 X-MARC-Message: https://marc.info/?l=koffice-devel&m=103018674509531 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--------------Boundary-00=_SLEC9ZWB902LLWXKO155" --------------Boundary-00=_SLEC9ZWB902LLWXKO155 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit The following is a patch to fix bug #46352 (kword crashes on opening a *.doc file) The problem: drawingId for PICF is 32314372 while the size of data stream is only 348705. Abiword also crashed with the document, and I've got error in wvWare, i.e "wvError: (picf.c:154) X is f4b0". I'm not familiar with wvWare but nevertheless will take a look. The workaround: sentinel check to see whether drawingId is in the proper range. To Werner or Shaheed: is it OK if I add such sentinel check everywhere ? After investigating many bug reports regarding MS Word import, most of the problems are invalid range, and thus triggers nasty memory reference, like this one. (Do MS Word files always have these inconsistencies anyway ?) ------------------------------------------------------- -- Ariya Hidayat :: KDE/KOffice developer:: www.advogato.org/person/ariya "One OS to rule them all, One OS to find them, One OS to bring them all and in the darkness bind them." --------------Boundary-00=_SLEC9ZWB902LLWXKO155 Content-Type: text/x-diff; charset="us-ascii"; name="picf.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="picf.patch" Index: msword.cc =================================================================== RCS file: /home/kde/koffice/filters/olefilters/winword97/msword.cc,v retrieving revision 1.81 diff -u -3 -p -r1.81 msword.cc --- msword.cc 2002/07/05 09:01:26 1.81 +++ msword.cc 2002/08/23 23:33:15 @@ -847,6 +847,9 @@ bool MsWord::getPicture( unsigned bytes; QString tiffFilename; + // sentinel check + if( fc > m_dataStreamLength ) return false; + // Get the PICF. pictureType = ""; @@ -957,6 +960,7 @@ MsWord::MsWord( m_tableStream = table1Stream.data; } m_dataStream = dataStream.data; + m_dataStreamLength = dataStream.length; if (!m_tableStream) { // Older versions of Word had no separate table stream. @@ -970,6 +974,7 @@ MsWord::MsWord( kdDebug(s_area) << "MsWord::MsWord: no data stream" << endl; m_dataStream = m_mainStream; + m_dataStreamLength = mainStream.length; } // We must call readStyles() first, as we use the STSHI size to detect Index: msword.h =================================================================== RCS file: /home/kde/koffice/filters/olefilters/winword97/msword.h,v retrieving revision 1.42 diff -u -3 -p -r1.42 msword.h --- msword.h 2002/05/13 17:52:20 1.42 +++ msword.h 2002/08/23 23:33:16 @@ -390,6 +390,7 @@ private: const U8 *m_mainStream; const U8 *m_tableStream; const U8 *m_dataStream; + U32 m_dataStreamLength; FIB m_fib; myFile mainStream; --------------Boundary-00=_SLEC9ZWB902LLWXKO155-- _______________________________________________ koffice-devel mailing list koffice-devel@mail.kde.org http://mail.kde.org/mailman/listinfo/koffice-devel