Attachment 145665 Details for Bug 222808 – EMBARGOED proposed patch against 0.8.8

[patch] EMBARGOED proposed patch against 0.8.8

libwpd-stability.patch (text/plain), 14.71 KB, created by Mark J. Cox on 2007-01-16 09:56:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mark J. Cox

Created: 2007-01-16 09:56:04 UTC

Size: 14.71 KB

patch

obsolete

>--- src/lib/WP1Part.cpp	14 Nov 2006 14:52:45 -0000	1.5
>+++ src/lib/WP1Part.cpp	12 Jan 2007 23:23:16 -0000	1.6
>@@ -46,6 +46,13 @@
> 	}
> 	else if (WP1_FUNCTION_GROUP_SIZE[readVal-0xC0] == -1)
> 	{
>+		// Should not happen because the heuristics would not recognize this file as a well formed WP1 file,
>+		// Nonetheless if we ever change the parts using the heuristics, this will be a check useful to have
>+		if (!WP1VariableLengthGroup::isGroupConsistent(input, readVal))
>+		{
>+			WPD_DEBUG_MSG(("WordPerfect: Consistency Check (variable length) failed; ignoring this byte\n"));
>+			return 0;
>+		}
> 		WPD_DEBUG_MSG(("WordPerfect: constructVariableLengthGroup\n"));
> 		return WP1VariableLengthGroup::constructVariableLengthGroup(input, readVal);
> 	}
>--- src/lib/WP1SetTabsGroup.cpp	5 Jan 2007 10:32:04 -0000	1.6
>+++ src/lib/WP1SetTabsGroup.cpp	12 Jan 2007 23:23:45 -0000	1.8
>@@ -39,7 +39,7 @@
> void WP1SetTabsGroup::_readContents(WPXInputStream *input)
> {
> 	// Skip first the old condensed tab table
>-	while (readU8(input) != 0xff)
>+	while (readU8(input) != 0xff && !input->atEOS())
> 		input->seek(2, WPX_SEEK_CUR);
> 
> 	// Now read the new condensed tab table
>@@ -47,8 +47,10 @@
> 	float tmpTabPosition = 0.0f;
> 	WPXTabStop tmpTabStop = WPXTabStop();
> 
>-	while ((tmpTabType = read8(input)) & 0xff != 0xff)
>+	while (((tmpTabType = read8(input)) & 0xff) != 0xff)
> 	{
>+		if (input->atEOS())
>+			throw FileException();
> 		tmpTabPosition = (float)((double)readU16(input, true) / 72.0f);
> 
> 		if (tmpTabType < 0)
>--- src/lib/WP1SubDocument.cpp	23 Aug 2006 13:56:33 -0000	1.2
>+++ src/lib/WP1SubDocument.cpp	15 Jan 2007 10:34:36 -0000	1.3
>@@ -26,7 +26,7 @@
> #include "WP1Parser.h"
> #include "libwpd_internal.h"
> 
>-WP1SubDocument::WP1SubDocument(WPXInputStream *input, const int dataSize) :
>+WP1SubDocument::WP1SubDocument(WPXInputStream *input, const unsigned dataSize) :
> 	WPXSubDocument(input, dataSize)
> {
> }
>--- src/lib/WP1SubDocument.h	23 Aug 2006 13:56:33 -0000	1.2
>+++ src/lib/WP1SubDocument.h	15 Jan 2007 10:34:36 -0000	1.3
>@@ -32,7 +32,7 @@
> class WP1SubDocument : public WPXSubDocument
> {
> public:
>-	WP1SubDocument(WPXInputStream *input, const int dataSize);
>+	WP1SubDocument(WPXInputStream *input, const unsigned dataSize);
> 	void parse(WP1Listener *listener) const;
> 
> };
>--- src/lib/WP3PageFormatGroup.cpp	5 Jan 2007 10:32:04 -0000	1.14
>+++ src/lib/WP3PageFormatGroup.cpp	12 Jan 2007 23:23:57 -0000	1.16
>@@ -91,8 +91,10 @@
> 
> 		m_isRelative = (readU8(input) & 0x01);
> 
>-		while ((tmpTabType = read8(input)) & 0xff != 0xff)
>+		while (((tmpTabType = read8(input)) & 0xff) != 0xff)
> 		{
>+			if (input->atEOS())
>+				throw FileException();
> 			tmpTabPosition = fixedPointToFloat(readU32(input, true)) / 72.0f;
> 
> 			if (tmpTabType < 0)
>--- src/lib/WP3SubDocument.cpp	30 May 2006 12:18:37 -0000	1.6
>+++ src/lib/WP3SubDocument.cpp	15 Jan 2007 10:34:36 -0000	1.7
>@@ -26,7 +26,7 @@
> #include "WP3Parser.h"
> #include "libwpd_internal.h"
> 
>-WP3SubDocument::WP3SubDocument(WPXInputStream *input, const int dataSize) :
>+WP3SubDocument::WP3SubDocument(WPXInputStream *input, const unsigned dataSize) :
> 	WPXSubDocument(input, dataSize)
> {
> }
>--- src/lib/WP3SubDocument.h	30 May 2006 12:18:37 -0000	1.5
>+++ src/lib/WP3SubDocument.h	15 Jan 2007 10:34:36 -0000	1.6
>@@ -32,7 +32,7 @@
> class WP3SubDocument : public WPXSubDocument
> {
> public:
>-	WP3SubDocument(WPXInputStream *input, const int dataSize);
>+	WP3SubDocument(WPXInputStream *input, const unsigned dataSize);
> 	void parse(WP3Listener *listener) const;
> 
> };
>--- src/lib/WP3TablesGroup.cpp	5 Dec 2005 13:53:48 -0000	1.3
>+++ src/lib/WP3TablesGroup.cpp	12 Jan 2007 23:24:26 -0000	1.7
>@@ -51,9 +51,11 @@
> 	// this group can contain different kinds of data, thus we need to read
> 	// the contents accordingly
> 	uint8_t i;
>+	long startPosition = 0;
> 	switch (getSubGroup())
> 	{
> 	case WP3_TABLES_GROUP_TABLE_FUNCTION:
>+		startPosition = input->tell();
> 		input->seek(71, WPX_SEEK_CUR);
> 		m_tableMode = readU8(input);
> 		m_offsetFromLeftEdge = readU32(input, true);
>@@ -63,8 +65,12 @@
> 		m_rightGutterSpacing = readU32(input, true);
> 		input->seek(3, WPX_SEEK_CUR);
> 		m_numColumns = readU8(input);
>+		if ((m_numColumns > 32) || ((input->tell() - startPosition + m_numColumns*10) > (getSize() - 4)))
>+			throw FileException();
> 		for (i=0; i<m_numColumns; i++)
> 		{
>+			if (input->atEOS())
>+				throw FileException();
> 			m_columnMode[i] = readU8(input);
> 			m_numberFormat[i] = readU8(input);
> 			m_columnWidth[i] = readU32(input, true);
>@@ -120,7 +126,7 @@
> 	{
> 	case WP3_TABLES_GROUP_TABLE_FUNCTION:
> 		listener->defineTable(m_tableMode, fixedPointToWPUs(m_offsetFromLeftEdge));
>-		for (i=0; i<m_numColumns; i++)
>+		for (i=0; i<m_numColumns && i <= 32; i++)
> 			listener->addTableColumnDefinition(fixedPointToWPUs(m_columnWidth[i]), fixedPointToWPUs(m_leftGutterSpacing),
> 								fixedPointToWPUs(m_rightGutterSpacing), 0, LEFT);
> 		listener->startTable();
>--- src/lib/WP42SubDocument.cpp	15 Jun 2006 13:18:51 -0000	1.3
>+++ src/lib/WP42SubDocument.cpp	15 Jan 2007 10:34:36 -0000	1.4
>@@ -26,12 +26,12 @@
> #include "WP42Parser.h"
> #include "libwpd_internal.h"
> 
>-WP42SubDocument::WP42SubDocument(uint8_t * streamData, const int dataSize) :
>+WP42SubDocument::WP42SubDocument(uint8_t * streamData, const unsigned dataSize) :
> 	WPXSubDocument(streamData, dataSize)
> {
> }
> 
>-WP42SubDocument::WP42SubDocument(WPXInputStream *input, const int dataSize) :
>+WP42SubDocument::WP42SubDocument(WPXInputStream *input, const unsigned dataSize) :
> 	WPXSubDocument(input, dataSize)
> {
> }
>--- src/lib/WP42SubDocument.h	12 Jul 2006 11:59:23 -0000	1.3
>+++ src/lib/WP42SubDocument.h	15 Jan 2007 10:34:36 -0000	1.4
>@@ -32,8 +32,8 @@
> class WP42SubDocument : public WPXSubDocument
> {
> public:
>-	WP42SubDocument(uint8_t * streamData, const int dataSize);
>-	WP42SubDocument(WPXInputStream *input, const int dataSize);
>+	WP42SubDocument(uint8_t * streamData, const unsigned dataSize);
>+	WP42SubDocument(WPXInputStream *input, const unsigned dataSize);
> 	void parse(WP42Listener *listener) const;
> 
> };
>--- src/lib/WP5DefinitionGroup.cpp	14 Nov 2006 14:52:45 -0000	1.5
>+++ src/lib/WP5DefinitionGroup.cpp	12 Jan 2007 23:24:41 -0000	1.7
>@@ -26,7 +26,7 @@
> #include "WP5Listener.h"
> #include "libwpd_internal.h"
> 
>-WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input) :
>+WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize) :
> 	WP5VariableLengthGroup_SubGroup(),
> 	m_position(0),
> 	m_numColumns(0),
>@@ -34,6 +34,7 @@
> 	m_leftGutter(0),
> 	m_rightGutter(0)
> {
>+	long startPosition = input->tell();
> 	// Skip useless old values to read the old column number
> 	input->seek(2, WPX_SEEK_CUR);
> 	m_numColumns = readU16(input);
>@@ -50,12 +51,26 @@
> 	input->seek(10, WPX_SEEK_CUR);
> 	m_leftOffset = readU16(input);
> 	int i;
>+	if ((m_numColumns > 32) || ((input->tell() - startPosition + m_numColumns*5) > (subGroupSize - 4)))
>+		throw FileException();
> 	for (i=0; i < m_numColumns; i++)
>+	{
>+		if (input->atEOS())
>+			throw FileException();
> 		m_columnWidth[i] = readU16(input);
>+	}
> 	for (i=0; i < m_numColumns; i++)
>+	{
>+		if (input->atEOS())
>+			throw FileException();
> 		m_attributeBits[i] = readU16(input);
>+	}
> 	for (i=0; i < m_numColumns; i++)
>+	{
>+		if (input->atEOS())
>+			throw FileException();
> 		m_columnAlignment[i] = readU8(input);
>+	}
> }
> 
> void WP5DefinitionGroup_DefineTablesSubGroup::parse(WP5Listener *listener)
>@@ -88,7 +103,7 @@
> 	switch(getSubGroup())
> 	{
> 		case WP5_TOP_DEFINITION_GROUP_DEFINE_TABLES:
>-			m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input);
>+			m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input, getSize());
> 			break;
> 		default:
> 			break;
>--- src/lib/WP5DefinitionGroup.h	12 Jul 2006 11:59:23 -0000	1.4
>+++ src/lib/WP5DefinitionGroup.h	11 Jan 2007 16:57:59 -0000	1.5
>@@ -31,7 +31,7 @@
> class WP5DefinitionGroup_DefineTablesSubGroup : public WP5VariableLengthGroup_SubGroup
> {
> public:
>-	WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input);
>+	WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize);
> 	void parse(WP5Listener *listener);
> 
> private:
>@@ -58,7 +58,6 @@
> 
> private:
> 	WP5VariableLengthGroup_SubGroup * m_subGroupData;
>-
> };
> 
> #endif /* WP5DEFINITIONGROUP_H */
>--- src/lib/WP5SubDocument.cpp	30 May 2006 12:18:37 -0000	1.3
>+++ src/lib/WP5SubDocument.cpp	15 Jan 2007 10:34:36 -0000	1.4
>@@ -26,7 +26,7 @@
> #include "WP5Parser.h"
> #include "libwpd_internal.h"
> 
>-WP5SubDocument::WP5SubDocument(WPXInputStream *input, const int dataSize) :
>+WP5SubDocument::WP5SubDocument(WPXInputStream *input, const unsigned dataSize) :
> 	WPXSubDocument(input, dataSize)
> {
> }
>--- src/lib/WP5SubDocument.h	12 Jul 2006 11:59:23 -0000	1.3
>+++ src/lib/WP5SubDocument.h	15 Jan 2007 10:34:36 -0000	1.4
>@@ -32,7 +32,7 @@
> class WP5SubDocument : public WPXSubDocument
> {
> public:
>-	WP5SubDocument(WPXInputStream *input, const int dataSize);
>+	WP5SubDocument(WPXInputStream *input, const unsigned dataSize);
> 	void parse(WP5Listener *listener) const;
> 
> };
>--- src/lib/WP6ExtendedDocumentSummaryPacket.cpp	5 Jan 2007 10:32:04 -0000	1.30
>+++ src/lib/WP6ExtendedDocumentSummaryPacket.cpp	15 Jan 2007 10:34:36 -0000	1.31
>@@ -24,6 +24,7 @@
>  * Corel Corporation or Corel Corporation Limited."
>  */
> #include <string.h>
>+#include <limits>
> 
> #include "WP6ExtendedDocumentSummaryPacket.h"
> #include "libwpd_internal.h"
>@@ -47,6 +48,8 @@
> {
> 	if (m_dataSize <= 0)
> 		return;
>+	if (m_dataSize > (std::numeric_limits<uint32_t>::max() / 2))
>+		m_dataSize = (std::numeric_limits<uint32_t>::max() / 2);
> 	uint8_t *streamData = new uint8_t[m_dataSize];
> 	for(unsigned i=0; i<(unsigned)m_dataSize; i++)
> 		streamData[i] = readU8(input);
>--- src/lib/WP6FontDescriptorPacket.cpp	4 Jan 2007 11:53:50 -0000	1.28
>+++ src/lib/WP6FontDescriptorPacket.cpp	15 Jan 2007 10:34:36 -0000	1.29
>@@ -23,7 +23,7 @@
>  * Corel Corporation or Corel Corporation Limited."
>  */
> #include <string.h>
>-
>+#include <limits>
> #include "WP6FontDescriptorPacket.h"
> #include "libwpd_internal.h"
> 
>@@ -69,9 +69,9 @@
> 
>    m_fontNameLength = readU16(input); 
> 
>-   // TODO: re-do sanity checking
>-   //if(m_fontNameLength < WP_FONT_NAME_MAX_LENGTH)
>-   //{	
>+
>+   if (m_fontNameLength > (std::numeric_limits<uint16_t>::max() / 2))
>+	m_fontNameLength = (std::numeric_limits<uint16_t>::max() / 2);
>    if (m_fontNameLength == 0) 
> 	   {
> 		   m_fontName = new char[1];
>--- src/lib/WP6GeneralTextPacket.cpp	14 Nov 2006 14:52:45 -0000	1.30
>+++ src/lib/WP6GeneralTextPacket.cpp	12 Jan 2007 23:24:53 -0000	1.33
>@@ -43,6 +43,7 @@
> 
> void WP6GeneralTextPacket::_readContents(WPXInputStream *input)
> {
>+	long startPosition = input->tell();
> 	uint16_t numTextBlocks = readU16(input);
> 	input->seek(4, WPX_SEEK_CUR);
> 
>@@ -53,13 +54,18 @@
> 	}
> 	
> 	uint32_t *blockSizes = new uint32_t[numTextBlocks];
>-	int totalSize = 0;
>+	unsigned int totalSize = 0;
> 	unsigned int i;
> 
> 	for(i=0; i<numTextBlocks; i++)
> 	{
>+		if ((input->tell() - startPosition + 4) > getDataSize() || input->atEOS())
>+			throw FileException();
> 		blockSizes[i] = readU32(input);
>-		totalSize += blockSizes[i];
>+		unsigned int newTotalSize = totalSize + blockSizes[i];
>+		if (newTotalSize < totalSize)
>+			throw FileException();
>+		totalSize = newTotalSize;
> 	}	
> 
> 	if (totalSize <= 0)
>@@ -73,6 +79,8 @@
> 	int streamPos = 0;
> 	for(i=0; i<numTextBlocks; i++) 
> 	{
>+		if ((input->tell() - startPosition + blockSizes[i]) > getDataSize() || input->atEOS())
>+			throw FileException();
> 		for (unsigned int j=0; j<blockSizes[i]; j++)
> 		{
> 			streamData[streamPos] = readU8(input);
>--- src/lib/WP6PrefixDataPacket.cpp	14 Nov 2006 14:52:45 -0000	1.16
>+++ src/lib/WP6PrefixDataPacket.cpp	11 Jan 2007 16:58:13 -0000	1.17
>@@ -35,7 +35,8 @@
> #include "libwpd.h"
> #include "libwpd_internal.h"
> 
>-WP6PrefixDataPacket::WP6PrefixDataPacket(WPXInputStream * /* input */)
>+WP6PrefixDataPacket::WP6PrefixDataPacket(WPXInputStream * /* input */) :
>+	m_dataSize(0)
> {
> }
> 
>@@ -74,7 +75,9 @@
> 
> void WP6PrefixDataPacket::_read(WPXInputStream *input, uint32_t dataOffset, uint32_t dataSize)
> {
>-	if (!dataSize)
>+	m_dataSize = dataSize;
>+
>+	if (!m_dataSize)
> 		return;
> 
> 	input->seek(dataOffset, WPX_SEEK_SET);
>--- src/lib/WP6PrefixDataPacket.h	14 Nov 2006 14:52:45 -0000	1.22
>+++ src/lib/WP6PrefixDataPacket.h	11 Jan 2007 16:58:15 -0000	1.23
>@@ -39,12 +39,16 @@
> 	virtual ~WP6PrefixDataPacket() {}
> 	virtual void parse(WP6Listener * /* listener */) const {}
> 	virtual WP6SubDocument * getSubDocument() const { return 0; }
>+	const uint32_t getDataSize() const { return m_dataSize; }
> 
> 	static WP6PrefixDataPacket * constructPrefixDataPacket(WPXInputStream * input, WP6PrefixIndice *prefixIndice);
> 
> protected:
> 	virtual void _readContents(WPXInputStream *input) = 0;
>  	void _read(WPXInputStream *input, uint32_t dataOffset, uint32_t dataSize);
>+
>+private:
>+	uint32_t m_dataSize;
> };
> 
> #endif /* WP6PREFIXDATAPACKET_H */
>--- src/lib/WP6SubDocument.cpp	30 May 2006 12:18:37 -0000	1.6
>+++ src/lib/WP6SubDocument.cpp	15 Jan 2007 10:34:37 -0000	1.7
>@@ -26,7 +26,7 @@
> #include "WP6Parser.h"
> #include "libwpd_internal.h"
> 
>-WP6SubDocument::WP6SubDocument(uint8_t * streamData, const int dataSize) :
>+WP6SubDocument::WP6SubDocument(uint8_t * streamData, const unsigned dataSize) :
> 	WPXSubDocument(streamData, dataSize)
> {
> }
>--- src/lib/WP6SubDocument.h	30 May 2006 12:18:37 -0000	1.4
>+++ src/lib/WP6SubDocument.h	15 Jan 2007 10:34:37 -0000	1.5
>@@ -32,7 +32,7 @@
> class WP6SubDocument : public WPXSubDocument
> {
> public:
>-	WP6SubDocument(uint8_t * streamData, const int dataSize);
>+	WP6SubDocument(uint8_t * streamData, const unsigned dataSize);
> 	void parse(WP6Listener *listener) const;
> };
> #endif /* WP6SUBDOCUMENT_H */
>--- src/lib/WPXSubDocument.cpp	14 Nov 2006 14:52:46 -0000	1.6
>+++ src/lib/WPXSubDocument.cpp	15 Jan 2007 10:34:37 -0000	1.8
>@@ -32,18 +32,20 @@
> {
> }
> 
>-WPXSubDocument::WPXSubDocument(WPXInputStream *input, const int dataSize) :
>+WPXSubDocument::WPXSubDocument(WPXInputStream *input, const unsigned dataSize) :
> 	m_stream(0)
> {
> 	uint8_t *streamData = new uint8_t[dataSize];
> 	for (int i=0; i<dataSize; i++)
> 	{
>+		if (input->atEOS())
>+			throw FileException();
> 		streamData[i] = readU8(input);
> 	}
> 	m_stream = new WPXMemoryInputStream(streamData, dataSize);
> }
> 
>-WPXSubDocument::WPXSubDocument(uint8_t * streamData, const int dataSize) :
>+WPXSubDocument::WPXSubDocument(uint8_t * streamData, const unsigned dataSize) :
> 	m_stream(0)
> {
> 	m_stream = new WPXMemoryInputStream(streamData, dataSize);
>--- src/lib/WPXSubDocument.h	13 Nov 2006 15:19:20 -0000	1.8
>+++ src/lib/WPXSubDocument.h	15 Jan 2007 10:34:37 -0000	1.9
>@@ -33,8 +33,8 @@
> {
> public:
> 	WPXSubDocument();
>-	WPXSubDocument(WPXInputStream *input, const int dataSize);
>-	WPXSubDocument(uint8_t * streamData, const int dataSize);
>+	WPXSubDocument(WPXInputStream *input, const unsigned dataSize);
>+	WPXSubDocument(uint8_t * streamData, const unsigned dataSize);
> 	virtual ~WPXSubDocument();
> 	WPXMemoryInputStream *getStream() const { return m_stream;}
>

Actions: View | Diff

Attachments on bug 222808: 145665 | 145676