summaryrefslogtreecommitdiff
path: root/source/kde/patch/calligra/calligra.words.fix_overflow.diff
blob: 1a68b3f9d88c49b1dba10f40334437c9bf063028 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
index 02a82a0..78ac31d 100644
--- a/filters/words/msword-odf/wv2/src/styles.cpp
+++ b/filters/words/msword-odf/wv2/src/styles.cpp
@@ -248,6 +248,11 @@ throw(InvalidFormatException)
 #ifdef WV2_DEBUG_STYLESHEET
         wvlog << "cbUPX: " << cbUPX << endl;
 #endif
+        // do not overflow the allocated buffer grupx
+        if (offset + cbUPX > grupxLen) {
+            wvlog << "====> Error: grupx would overflow!" << endl;
+            return false;
+        }
         for ( U16 j = 0; j < cbUPX; ++j ) {
             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
 #ifdef WV2_DEBUG_STYLESHEET