Attachment #102512 for bug #155914

Lines 197-207 bool KLaola::parseHeader() { Link Here

(-)koffice-1.4.1/filters/olefilters/lib/klaola.cc (-7 / +29 lines)
197	num_of_bbd_blocks=read32(0x2c);	197	num_of_bbd_blocks=read32(0x2c);
198	root_startblock=read32(0x30);	198	root_startblock=read32(0x30);
199	sbd_startblock=read32(0x3c);	199	sbd_startblock=read32(0x3c);
		200
		201	if (num_of_bbd_blocks >= 0x800000) {
		202	kdError(s_area) << "KLaola::parseHeader(): Too many bbd blocks found in header!" << endl;
		203	return false;
		204	}
200	bbd_list=new unsigned int[num_of_bbd_blocks];	205	bbd_list=new unsigned int[num_of_bbd_blocks];
201		206
202	unsigned int i, j;	207	unsigned int i, j;
203	for(i=0, j=0; i<num_of_bbd_blocks; ++i, j=j+4)	208	for(i=0, j=0; i<num_of_bbd_blocks; ++i, j=j+4) {
204	bbd_list[i]=read32(0x4c+j);	209	bbd_list[i]=read32(0x4c+j);
		210	if (bbd_list[i] >= (0x800000 - 1)) {
		211	kdError(s_area) << "KLaola::parseHeader(): bbd " << i << " offset (" << bbd_list[i] << ") too large" << endl;
		212	return false;
		213	}
		214	}
205	return true;	215	return true;
206	}	216	}
207		217
Lines 283-289 const unsigned char *KLaola::readBBStrea Link Here
283	unsigned char *p=0;	293	unsigned char *p=0;
284		294
285	tmp=start;	295	tmp=start;
286	while(tmp!=-2 && tmp>=0 && tmp<=static_cast<int>(maxblock)) {	296	/* 0x10000 chosen as arbitrary "too many blocks" limit to not loop forver */
		297	while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast<int>(maxblock)) {
287	++i;	298	++i;
288	tmp=nextBigBlock(tmp);	299	tmp=nextBigBlock(tmp);
289	}	300	}
Lines 293-299 const unsigned char *KLaola::readBBStrea Link Here
293	maxSblock=i*8-1;	304	maxSblock=i*8-1;
294	i=0;	305	i=0;
295	tmp=start;	306	tmp=start;
296	while(tmp!=-2 && tmp>=0 && tmp<=static_cast<int>(maxblock)) {	307	while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast<int>(maxblock)) {
297	memcpy(&p[i0x200], &m_file.data[(tmp+1)0x200], 0x200);	308	memcpy(&p[i0x200], &m_file.data[(tmp+1)0x200], 0x200);
298	tmp=nextBigBlock(tmp);	309	tmp=nextBigBlock(tmp);
299	++i;	310	++i;
Lines 308-314 const unsigned char *KLaola::readSBStrea Link Here
308	unsigned char *p=0;	319	unsigned char *p=0;
309		320
310	tmp=start;	321	tmp=start;
311	while(tmp!=-2 && tmp>=0 && tmp<=static_cast<int>(maxSblock)) {	322	/* 0x10000 chosen as arbitrary "too many blocks" limit to not loop forver */
		323	while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast<int>(maxSblock)) {
312	++i;	324	++i;
313	tmp=nextSmallBlock(tmp);	325	tmp=nextSmallBlock(tmp);
314	}	326	}
Lines 316-322 const unsigned char *KLaola::readSBStrea Link Here
316	p=new unsigned char[i*0x40];	328	p=new unsigned char[i*0x40];
317	i=0;	329	i=0;
318	tmp=start;	330	tmp=start;
319	while(tmp!=-2 && tmp>=0 && tmp<=static_cast<int>(maxSblock)) {	331	while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast<int>(maxSblock)) {
320	memcpy(&p[i0x40], &smallBlockFile[tmp0x40], 0x40);	332	memcpy(&p[i0x40], &smallBlockFile[tmp0x40], 0x40);
321	tmp=nextSmallBlock(tmp);	333	tmp=nextSmallBlock(tmp);
322	++i;	334	++i;
Lines 326-335 const unsigned char *KLaola::readSBStrea Link Here
326	}	338	}
327		339
328	void KLaola::readBigBlockDepot() {	340	void KLaola::readBigBlockDepot() {
		341	if (num_of_bbd_blocks >= 0x800000)
		342	return;
329		343
330	bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks];	344	bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks];
331	for(unsigned int i=0; i<num_of_bbd_blocks; ++i)	345	for(unsigned int i=0; i<num_of_bbd_blocks; ++i) {
332	memcpy(&bigBlockDepot[i0x200], &m_file.data[(bbd_list[i]+1)0x200], 0x200);	346	unsigned int offset = (bbd_list[i]+1)*0x200;
		347	if (offset > m_file.length - 0x200) {
		348	/* attempting to read past end of file */
		349	memset(&bigBlockDepot[i*0x200], 0, 0x200);
		350	}
		351	else {
		352	memcpy(&bigBlockDepot[i*0x200], &m_file.data[offset], 0x200);
		353	}
		354	}
333	}	355	}
334		356
335	void KLaola::readSmallBlockDepot() {	357	void KLaola::readSmallBlockDepot() {

Return to bug 155914