--- WP5DefinitionGroup.cpp	2006/11/14 14:52:45	1.5
+++ WP5DefinitionGroup.cpp	2007/01/12 23:24:41
@@ -26,7 +26,7 @@ 
 #include "WP5Listener.h"
 #include "libwpd_internal.h"
 
-WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input) :
+WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize) :
 	WP5VariableLengthGroup_SubGroup(),
 	m_position(0),
 	m_numColumns(0),
@@ -34,6 +34,7 @@ 
 	m_leftGutter(0),
 	m_rightGutter(0)
 {
+	long startPosition = input->tell();
 	// Skip useless old values to read the old column number
 	input->seek(2, WPX_SEEK_CUR);
 	m_numColumns = readU16(input);
@@ -50,12 +51,26 @@ 
 	input->seek(10, WPX_SEEK_CUR);
 	m_leftOffset = readU16(input);
 	int i;
+	if ((m_numColumns > 32) || ((input->tell() - startPosition + m_numColumns*5) > (subGroupSize - 4)))
+		throw FileException();
 	for (i=0; i < m_numColumns; i++)
+	{
+		if (input->atEOS())
+			throw FileException();
 		m_columnWidth[i] = readU16(input);
+	}
 	for (i=0; i < m_numColumns; i++)
+	{
+		if (input->atEOS())
+			throw FileException();
 		m_attributeBits[i] = readU16(input);
+	}
 	for (i=0; i < m_numColumns; i++)
+	{
+		if (input->atEOS())
+			throw FileException();
 		m_columnAlignment[i] = readU8(input);
+	}
 }
 
 void WP5DefinitionGroup_DefineTablesSubGroup::parse(WP5Listener *listener)
@@ -88,7 +103,7 @@ 
 	switch(getSubGroup())
 	{
 		case WP5_TOP_DEFINITION_GROUP_DEFINE_TABLES:
-			m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input);
+			m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input, getSize());
 			break;
 		default:
 			break;
--- WP5DefinitionGroup.h	2006/07/12 11:59:23	1.4
+++ WP5DefinitionGroup.h	2007/01/11 16:57:59
@@ -31,7 +31,7 @@ 
 class WP5DefinitionGroup_DefineTablesSubGroup : public WP5VariableLengthGroup_SubGroup
 {
 public:
-	WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input);
+	WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize);
 	void parse(WP5Listener *listener);
 
 private:
@@ -58,7 +58,6 @@ 
 
 private:
 	WP5VariableLengthGroup_SubGroup * m_subGroupData;
-
 };
 
 #endif /* WP5DEFINITIONGROUP_H */