mirror of
https://github.com/simon987/antiword.git
synced 2025-04-10 13:06:41 +00:00
Add more bounds checking
This commit is contained in:
parent
62ae66db99
commit
b9afdb0561
@ -253,7 +253,7 @@
|
|||||||
|
|
||||||
#define BUF_AUC 1
|
#define BUF_AUC 1
|
||||||
extern void setBufferSize(ULONG size);
|
extern void setBufferSize(ULONG size);
|
||||||
extern BOOL isOutOfBounds(ULONG offset);
|
extern BOOL isOutOfBounds(ULONG offset, size_t size);
|
||||||
|
|
||||||
/* Prototypes */
|
/* Prototypes */
|
||||||
|
|
||||||
|
|||||||
21
src/pdf.c
21
src/pdf.c
@ -514,6 +514,7 @@ vMove2NextPage(diagram_type *pDiag, BOOL bNewSection)
|
|||||||
vAddHeader(pDiag);
|
vAddHeader(pDiag);
|
||||||
} /* end of vMove2NextPage */
|
} /* end of vMove2NextPage */
|
||||||
|
|
||||||
|
#define VMOVETO_MAX_DEPTH 300
|
||||||
/*
|
/*
|
||||||
* vMoveTo - move to the specified X,Y coordinates
|
* vMoveTo - move to the specified X,Y coordinates
|
||||||
*
|
*
|
||||||
@ -527,7 +528,24 @@ vMoveTo(diagram_type *pDiag, long lLastVerticalMovement)
|
|||||||
fail(pDiag->pOutFile == NULL);
|
fail(pDiag->pOutFile == NULL);
|
||||||
|
|
||||||
if (pDiag->lYtop <= lFooterHeight + PS_BOTTOM_MARGIN && !bInFtrSpace) {
|
if (pDiag->lYtop <= lFooterHeight + PS_BOTTOM_MARGIN && !bInFtrSpace) {
|
||||||
vMove2NextPage(pDiag, FALSE);
|
|
||||||
|
// NOTE: SIST2: only output the first page
|
||||||
|
vAddFooter(pDiag);
|
||||||
|
vEndPageObject(pDiag->pOutFile);
|
||||||
|
|
||||||
|
iObjectNumberCurr++;
|
||||||
|
vSetLocation(iObjectNumberCurr);
|
||||||
|
vFillNextPageObject();
|
||||||
|
vFPprintf(pDiag->pOutFile, "%d 0 obj\n", iObjectNumberCurr);
|
||||||
|
vFPprintf(pDiag->pOutFile, "<<\n");
|
||||||
|
vFPprintf(pDiag->pOutFile, "/Type /Page\n");
|
||||||
|
vFPprintf(pDiag->pOutFile, "/Parent 3 0 R\n");
|
||||||
|
vFPprintf(pDiag->pOutFile, "/Resources 17 0 R\n");
|
||||||
|
vFPprintf(pDiag->pOutFile, "/Contents %d 0 R\n", iObjectNumberCurr + 1);
|
||||||
|
vFPprintf(pDiag->pOutFile, ">>\n");
|
||||||
|
vFPprintf(pDiag->pOutFile, "endobj\n");
|
||||||
|
// ^^^
|
||||||
|
|
||||||
/* Repeat the last vertical movement on the new page */
|
/* Repeat the last vertical movement on the new page */
|
||||||
pDiag->lYtop -= lLastVerticalMovement;
|
pDiag->lYtop -= lLastVerticalMovement;
|
||||||
}
|
}
|
||||||
@ -978,6 +996,7 @@ static void
|
|||||||
vPrintPDF(FILE *pFile, const char *szString, size_t tStringLength,
|
vPrintPDF(FILE *pFile, const char *szString, size_t tStringLength,
|
||||||
USHORT usFontstyle)
|
USHORT usFontstyle)
|
||||||
{
|
{
|
||||||
|
|
||||||
const UCHAR *aucBytes;
|
const UCHAR *aucBytes;
|
||||||
double dMove;
|
double dMove;
|
||||||
size_t tCount;
|
size_t tCount;
|
||||||
|
|||||||
217
src/prop8.c
217
src/prop8.c
@ -22,27 +22,34 @@
|
|||||||
* iGet8InfoLength - the length of the information for Word 8/9/10/11 files
|
* iGet8InfoLength - the length of the information for Word 8/9/10/11 files
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
iGet8InfoLength(int iByteNbr, const UCHAR *aucGrpprl)
|
iGet8InfoLength(int iByteNbr, const UCHAR *aucGrpprl) {
|
||||||
{
|
|
||||||
int iTmp, iDel, iAdd;
|
int iTmp, iDel, iAdd;
|
||||||
USHORT usOpCode;
|
USHORT usOpCode;
|
||||||
|
|
||||||
usOpCode = usGetWord(iByteNbr, aucGrpprl);
|
usOpCode = usGetWord(iByteNbr, aucGrpprl);
|
||||||
|
|
||||||
switch (usOpCode & 0xe000) {
|
switch (usOpCode & 0xe000) {
|
||||||
case 0x0000: case 0x2000:
|
case 0x0000:
|
||||||
|
case 0x2000:
|
||||||
return 3;
|
return 3;
|
||||||
case 0x4000: case 0x8000: case 0xa000:
|
case 0x4000:
|
||||||
|
case 0x8000:
|
||||||
|
case 0xa000:
|
||||||
return 4;
|
return 4;
|
||||||
case 0xe000:
|
case 0xe000:
|
||||||
return 5;
|
return 5;
|
||||||
case 0x6000:
|
case 0x6000:
|
||||||
return 6;
|
return 6;
|
||||||
case 0xc000:
|
case 0xc000:
|
||||||
iTmp = (int)ucGetByte(iByteNbr + 2, aucGrpprl);
|
// HOTFIX for buffer overflow (fuzzing)
|
||||||
|
if (iByteNbr + 2 >= sizeof(section_block_type) - 1) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
iTmp = (int) ucGetByte(iByteNbr + 2, aucGrpprl);
|
||||||
if (usOpCode == 0xc615 && iTmp == 255) {
|
if (usOpCode == 0xc615 && iTmp == 255) {
|
||||||
iDel = (int)ucGetByte(iByteNbr + 3, aucGrpprl);
|
iDel = (int) ucGetByte(iByteNbr + 3, aucGrpprl);
|
||||||
iAdd = (int)ucGetByte(
|
iAdd = (int) ucGetByte(
|
||||||
iByteNbr + 4 + iDel * 4, aucGrpprl);
|
iByteNbr + 4 + iDel * 4, aucGrpprl);
|
||||||
iTmp = 2 + iDel * 4 + iAdd * 3;
|
iTmp = 2 + iDel * 4 + iAdd * 3;
|
||||||
}
|
}
|
||||||
@ -63,8 +70,7 @@ static UCHAR *
|
|||||||
aucFillInfoBuffer(FILE *pFile, const pps_type *pTable,
|
aucFillInfoBuffer(FILE *pFile, const pps_type *pTable,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
ULONG ulBeginInfo, size_t tInfoLen)
|
ULONG ulBeginInfo, size_t tInfoLen) {
|
||||||
{
|
|
||||||
const ULONG *aulBlockDepot;
|
const ULONG *aulBlockDepot;
|
||||||
UCHAR *aucBuffer;
|
UCHAR *aucBuffer;
|
||||||
size_t tBlockDepotLen, tBlockSize;
|
size_t tBlockDepotLen, tBlockSize;
|
||||||
@ -108,8 +114,7 @@ void
|
|||||||
vGet8DopInfo(FILE *pFile, const pps_type *pTable,
|
vGet8DopInfo(FILE *pFile, const pps_type *pTable,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
const UCHAR *aucHeader)
|
const UCHAR *aucHeader) {
|
||||||
{
|
|
||||||
document_block_type tDocument;
|
document_block_type tDocument;
|
||||||
UCHAR *aucBuffer;
|
UCHAR *aucBuffer;
|
||||||
ULONG ulBeginDocpInfo, ulTmp;
|
ULONG ulBeginDocpInfo, ulTmp;
|
||||||
@ -121,7 +126,7 @@ vGet8DopInfo(FILE *pFile, const pps_type *pTable,
|
|||||||
|
|
||||||
ulBeginDocpInfo = ulGetLong(0x192, aucHeader); /* fcDop */
|
ulBeginDocpInfo = ulGetLong(0x192, aucHeader); /* fcDop */
|
||||||
NO_DBG_HEX(ulBeginSectInfo);
|
NO_DBG_HEX(ulBeginSectInfo);
|
||||||
tDocpInfoLen = (size_t)ulGetLong(0x196, aucHeader); /* lcbDop */
|
tDocpInfoLen = (size_t) ulGetLong(0x196, aucHeader); /* lcbDop */
|
||||||
NO_DBG_DEC(tSectInfoLen);
|
NO_DBG_DEC(tSectInfoLen);
|
||||||
if (tDocpInfoLen < 28) {
|
if (tDocpInfoLen < 28) {
|
||||||
DBG_MSG("No Document information");
|
DBG_MSG("No Document information");
|
||||||
@ -136,7 +141,7 @@ vGet8DopInfo(FILE *pFile, const pps_type *pTable,
|
|||||||
}
|
}
|
||||||
|
|
||||||
usTmp = usGetWord(0x00, aucBuffer);
|
usTmp = usGetWord(0x00, aucBuffer);
|
||||||
tDocument.ucHdrFtrSpecification = (UCHAR)(usTmp >> 8); /* grpfIhdt */
|
tDocument.ucHdrFtrSpecification = (UCHAR) (usTmp >> 8); /* grpfIhdt */
|
||||||
tDocument.usDefaultTabWidth = usGetWord(0x0a, aucBuffer); /* dxaTab */
|
tDocument.usDefaultTabWidth = usGetWord(0x0a, aucBuffer); /* dxaTab */
|
||||||
ulTmp = ulGetLong(0x14, aucBuffer); /* dttmCreated */
|
ulTmp = ulGetLong(0x14, aucBuffer); /* dttmCreated */
|
||||||
tDocument.tCreateDate = tConvertDTTM(ulTmp);
|
tDocument.tCreateDate = tConvertDTTM(ulTmp);
|
||||||
@ -153,8 +158,7 @@ vGet8DopInfo(FILE *pFile, const pps_type *pTable,
|
|||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
vGet8SectionInfo(const UCHAR *aucGrpprl, size_t tBytes,
|
vGet8SectionInfo(const UCHAR *aucGrpprl, size_t tBytes,
|
||||||
section_block_type *pSection)
|
section_block_type *pSection) {
|
||||||
{
|
|
||||||
UINT uiIndex;
|
UINT uiIndex;
|
||||||
int iFodoOff, iInfoLen, iSize, iTmp;
|
int iFodoOff, iInfoLen, iSize, iTmp;
|
||||||
USHORT usCcol;
|
USHORT usCcol;
|
||||||
@ -163,7 +167,7 @@ vGet8SectionInfo(const UCHAR *aucGrpprl, size_t tBytes,
|
|||||||
fail(aucGrpprl == NULL || pSection == NULL);
|
fail(aucGrpprl == NULL || pSection == NULL);
|
||||||
|
|
||||||
iFodoOff = 0;
|
iFodoOff = 0;
|
||||||
while (tBytes >= (size_t)iFodoOff + 2) {
|
while (tBytes >= (size_t) iFodoOff + 2) {
|
||||||
iInfoLen = 0;
|
iInfoLen = 0;
|
||||||
switch (usGetWord(iFodoOff, aucGrpprl)) {
|
switch (usGetWord(iFodoOff, aucGrpprl)) {
|
||||||
case 0x3009: /* bkc */
|
case 0x3009: /* bkc */
|
||||||
@ -180,7 +184,7 @@ vGet8SectionInfo(const UCHAR *aucGrpprl, size_t tBytes,
|
|||||||
DBG_DEC(usCcol);
|
DBG_DEC(usCcol);
|
||||||
break;
|
break;
|
||||||
case 0xd202: /* olstAnm */
|
case 0xd202: /* olstAnm */
|
||||||
iSize = (int)ucGetByte(iFodoOff + 2, aucGrpprl);
|
iSize = (int) ucGetByte(iFodoOff + 2, aucGrpprl);
|
||||||
DBG_DEC_C(iSize != 212, iSize);
|
DBG_DEC_C(iSize != 212, iSize);
|
||||||
for (uiIndex = 0, iTmp = iFodoOff + 3;
|
for (uiIndex = 0, iTmp = iFodoOff + 3;
|
||||||
uiIndex < 9 && iTmp < iFodoOff + 3 + iSize - 15;
|
uiIndex < 9 && iTmp < iFodoOff + 3 + iSize - 15;
|
||||||
@ -192,11 +196,11 @@ vGet8SectionInfo(const UCHAR *aucGrpprl, size_t tBytes,
|
|||||||
DBG_HEX(ucTmp);
|
DBG_HEX(ucTmp);
|
||||||
if ((ucTmp & BIT(2)) != 0) {
|
if ((ucTmp & BIT(2)) != 0) {
|
||||||
pSection->usNeedPrevLvl |=
|
pSection->usNeedPrevLvl |=
|
||||||
(USHORT)BIT(uiIndex);
|
(USHORT) BIT(uiIndex);
|
||||||
}
|
}
|
||||||
if ((ucTmp & BIT(3)) != 0) {
|
if ((ucTmp & BIT(3)) != 0) {
|
||||||
pSection->usHangingIndent |=
|
pSection->usHangingIndent |=
|
||||||
(USHORT)BIT(uiIndex);
|
(USHORT) BIT(uiIndex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
DBG_HEX(pSection->usNeedPrevLvl);
|
DBG_HEX(pSection->usNeedPrevLvl);
|
||||||
@ -220,8 +224,7 @@ void
|
|||||||
vGet8SepInfo(FILE *pFile, const pps_info_type *pPPS,
|
vGet8SepInfo(FILE *pFile, const pps_info_type *pPPS,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
const UCHAR *aucHeader)
|
const UCHAR *aucHeader) {
|
||||||
{
|
|
||||||
section_block_type tSection;
|
section_block_type tSection;
|
||||||
ULONG *aulSectPage, *aulCharPos;
|
ULONG *aulSectPage, *aulCharPos;
|
||||||
UCHAR *aucBuffer, *aucFpage;
|
UCHAR *aucBuffer, *aucFpage;
|
||||||
@ -236,7 +239,7 @@ vGet8SepInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
NO_DBG_HEX(ulBeginOfText);
|
NO_DBG_HEX(ulBeginOfText);
|
||||||
ulBeginSectInfo = ulGetLong(0xca, aucHeader); /* fcPlcfsed */
|
ulBeginSectInfo = ulGetLong(0xca, aucHeader); /* fcPlcfsed */
|
||||||
NO_DBG_HEX(ulBeginSectInfo);
|
NO_DBG_HEX(ulBeginSectInfo);
|
||||||
tSectInfoLen = (size_t)ulGetLong(0xce, aucHeader); /* lcbPlcfsed */
|
tSectInfoLen = (size_t) ulGetLong(0xce, aucHeader); /* lcbPlcfsed */
|
||||||
NO_DBG_DEC(tSectInfoLen);
|
NO_DBG_DEC(tSectInfoLen);
|
||||||
if (tSectInfoLen < 4) {
|
if (tSectInfoLen < 4) {
|
||||||
DBG_DEC(tSectInfoLen);
|
DBG_DEC(tSectInfoLen);
|
||||||
@ -285,7 +288,7 @@ vGet8SepInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
aucTmp, aulSectPage[tIndex], 2)) {
|
aucTmp, aulSectPage[tIndex], 2)) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
tBytes = 2 + (size_t)usGetWord(0, aucTmp);
|
tBytes = 2 + (size_t) usGetWord(0, aucTmp);
|
||||||
NO_DBG_DEC(tBytes);
|
NO_DBG_DEC(tBytes);
|
||||||
/* Read the bytes */
|
/* Read the bytes */
|
||||||
aucFpage = xmalloc(tBytes);
|
aucFpage = xmalloc(tBytes);
|
||||||
@ -313,8 +316,7 @@ void
|
|||||||
vGet8HdrFtrInfo(FILE *pFile, const pps_type *pTable,
|
vGet8HdrFtrInfo(FILE *pFile, const pps_type *pTable,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
const UCHAR *aucHeader)
|
const UCHAR *aucHeader) {
|
||||||
{
|
|
||||||
ULONG *aulCharPos;
|
ULONG *aulCharPos;
|
||||||
UCHAR *aucBuffer;
|
UCHAR *aucBuffer;
|
||||||
ULONG ulHdrFtrOffset, ulBeginHdrFtrInfo;
|
ULONG ulHdrFtrOffset, ulBeginHdrFtrInfo;
|
||||||
@ -325,7 +327,7 @@ vGet8HdrFtrInfo(FILE *pFile, const pps_type *pTable,
|
|||||||
|
|
||||||
ulBeginHdrFtrInfo = ulGetLong(0xf2, aucHeader); /* fcPlcfhdd */
|
ulBeginHdrFtrInfo = ulGetLong(0xf2, aucHeader); /* fcPlcfhdd */
|
||||||
NO_DBG_HEX(ulBeginHdrFtrInfo);
|
NO_DBG_HEX(ulBeginHdrFtrInfo);
|
||||||
tHdrFtrInfoLen = (size_t)ulGetLong(0xf6, aucHeader); /* lcbPlcfhdd */
|
tHdrFtrInfoLen = (size_t) ulGetLong(0xf6, aucHeader); /* lcbPlcfhdd */
|
||||||
NO_DBG_DEC(tHdrFtrInfoLen);
|
NO_DBG_DEC(tHdrFtrInfoLen);
|
||||||
if (tHdrFtrInfoLen < 8) {
|
if (tHdrFtrInfoLen < 8) {
|
||||||
DBG_DEC_C(tHdrFtrInfoLen != 0, tHdrFtrInfoLen);
|
DBG_DEC_C(tHdrFtrInfoLen != 0, tHdrFtrInfoLen);
|
||||||
@ -363,8 +365,7 @@ vGet8HdrFtrInfo(FILE *pFile, const pps_type *pTable,
|
|||||||
*/
|
*/
|
||||||
row_info_enum
|
row_info_enum
|
||||||
eGet8RowInfo(int iFodo,
|
eGet8RowInfo(int iFodo,
|
||||||
const UCHAR *aucGrpprl, int iBytes, row_block_type *pRow)
|
const UCHAR *aucGrpprl, int iBytes, row_block_type *pRow) {
|
||||||
{
|
|
||||||
int iFodoOff, iInfoLen;
|
int iFodoOff, iInfoLen;
|
||||||
int iIndex, iSize, iCol;
|
int iIndex, iSize, iCol;
|
||||||
int iPosCurr, iPosPrev;
|
int iPosCurr, iPosPrev;
|
||||||
@ -387,6 +388,12 @@ eGet8RowInfo(int iFodo,
|
|||||||
bFoundd608 = FALSE;
|
bFoundd608 = FALSE;
|
||||||
while (iBytes >= iFodoOff + 2) {
|
while (iBytes >= iFodoOff + 2) {
|
||||||
iInfoLen = 0;
|
iInfoLen = 0;
|
||||||
|
|
||||||
|
// HOTFIX for buffer overflow (fuzzing)
|
||||||
|
if (iFodo + iFodoOff >= BIG_BLOCK_SIZE - 4) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
switch (usGetWord(iFodo + iFodoOff, aucGrpprl)) {
|
switch (usGetWord(iFodo + iFodoOff, aucGrpprl)) {
|
||||||
case 0x2416: /* fInTable */
|
case 0x2416: /* fInTable */
|
||||||
if (odd(ucGetByte(iFodo + iFodoOff + 2, aucGrpprl))) {
|
if (odd(ucGetByte(iFodo + iFodoOff + 2, aucGrpprl))) {
|
||||||
@ -458,18 +465,18 @@ eGet8RowInfo(int iFodo,
|
|||||||
break;
|
break;
|
||||||
case 0xd606: /* cDefTable10 */
|
case 0xd606: /* cDefTable10 */
|
||||||
DBG_MSG("0xd606: sprmTDefTable10");
|
DBG_MSG("0xd606: sprmTDefTable10");
|
||||||
iSize = (int)usGetWord(iFodo + iFodoOff + 2, aucGrpprl);
|
iSize = (int) usGetWord(iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
DBG_DEC(iSize);
|
DBG_DEC(iSize);
|
||||||
break;
|
break;
|
||||||
case 0xd608: /* cDefTable */
|
case 0xd608: /* cDefTable */
|
||||||
iSize = (int)usGetWord(iFodo + iFodoOff + 2, aucGrpprl);
|
iSize = (int) usGetWord(iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
if (iSize < 6 || iBytes < iFodoOff + 8) {
|
if (iSize < 6 || iBytes < iFodoOff + 8) {
|
||||||
DBG_DEC(iSize);
|
DBG_DEC(iSize);
|
||||||
DBG_DEC(iFodoOff);
|
DBG_DEC(iFodoOff);
|
||||||
iInfoLen = 2;
|
iInfoLen = 2;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
iCol = (int)ucGetByte(iFodo + iFodoOff + 4, aucGrpprl);
|
iCol = (int) ucGetByte(iFodo + iFodoOff + 4, aucGrpprl);
|
||||||
if (iCol < 1 ||
|
if (iCol < 1 ||
|
||||||
iBytes < iFodoOff + 4 + (iCol + 1) * 2) {
|
iBytes < iFodoOff + 4 + (iCol + 1) * 2) {
|
||||||
DBG_DEC(iCol);
|
DBG_DEC(iCol);
|
||||||
@ -477,21 +484,21 @@ eGet8RowInfo(int iFodo,
|
|||||||
iInfoLen = 2;
|
iInfoLen = 2;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (iCol >= (int)elementsof(pRow->asColumnWidth)) {
|
if (iCol >= (int) elementsof(pRow->asColumnWidth)) {
|
||||||
DBG_DEC(iCol);
|
DBG_DEC(iCol);
|
||||||
return found_nothing;
|
return found_nothing;
|
||||||
// werr(1, "The number of columns is corrupt");
|
// werr(1, "The number of columns is corrupt");
|
||||||
}
|
}
|
||||||
pRow->ucNumberOfColumns = (UCHAR)iCol;
|
pRow->ucNumberOfColumns = (UCHAR) iCol;
|
||||||
iPosPrev = (int)(short)usGetWord(
|
iPosPrev = (int) (short) usGetWord(
|
||||||
iFodo + iFodoOff + 5,
|
iFodo + iFodoOff + 5,
|
||||||
aucGrpprl);
|
aucGrpprl);
|
||||||
for (iIndex = 0; iIndex < iCol; iIndex++) {
|
for (iIndex = 0; iIndex < iCol; iIndex++) {
|
||||||
iPosCurr = (int)(short)usGetWord(
|
iPosCurr = (int) (short) usGetWord(
|
||||||
iFodo + iFodoOff + 7 + iIndex * 2,
|
iFodo + iFodoOff + 7 + iIndex * 2,
|
||||||
aucGrpprl);
|
aucGrpprl);
|
||||||
pRow->asColumnWidth[iIndex] =
|
pRow->asColumnWidth[iIndex] =
|
||||||
(short)(iPosCurr - iPosPrev);
|
(short) (iPosCurr - iPosPrev);
|
||||||
iPosPrev = iPosCurr;
|
iPosPrev = iPosCurr;
|
||||||
}
|
}
|
||||||
bFoundd608 = TRUE;
|
bFoundd608 = TRUE;
|
||||||
@ -528,8 +535,7 @@ eGet8RowInfo(int iFodo,
|
|||||||
*/
|
*/
|
||||||
void
|
void
|
||||||
vGet8StyleInfo(int iFodo,
|
vGet8StyleInfo(int iFodo,
|
||||||
const UCHAR *aucGrpprl, int iBytes, style_block_type *pStyle)
|
const UCHAR *aucGrpprl, int iBytes, style_block_type *pStyle) {
|
||||||
{
|
|
||||||
list_block_type tList6;
|
list_block_type tList6;
|
||||||
const list_block_type *pList;
|
const list_block_type *pList;
|
||||||
int iFodoOff, iInfoLen;
|
int iFodoOff, iInfoLen;
|
||||||
@ -542,11 +548,17 @@ vGet8StyleInfo(int iFodo,
|
|||||||
NO_DBG_DEC_C(pStyle->usListIndex != 0, pStyle->usIstd);
|
NO_DBG_DEC_C(pStyle->usListIndex != 0, pStyle->usIstd);
|
||||||
NO_DBG_DEC_C(pStyle->usListIndex != 0, pStyle->usListIndex);
|
NO_DBG_DEC_C(pStyle->usListIndex != 0, pStyle->usListIndex);
|
||||||
|
|
||||||
(void)memset(&tList6, 0, sizeof(tList6));
|
(void) memset(&tList6, 0, sizeof(tList6));
|
||||||
|
|
||||||
iFodoOff = 0;
|
iFodoOff = 0;
|
||||||
while (iBytes >= iFodoOff + 2) {
|
while (iBytes >= iFodoOff + 2) {
|
||||||
iInfoLen = 0;
|
iInfoLen = 0;
|
||||||
|
|
||||||
|
// HOTFIX for buffer overflow (fuzzing)
|
||||||
|
if (iFodo + iFodoOff >= BIG_BLOCK_SIZE - 4) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
usOpCode = usGetWord(iFodo + iFodoOff, aucGrpprl);
|
usOpCode = usGetWord(iFodo + iFodoOff, aucGrpprl);
|
||||||
switch (usOpCode) {
|
switch (usOpCode) {
|
||||||
case 0x2403: /* jc */
|
case 0x2403: /* jc */
|
||||||
@ -569,7 +581,7 @@ vGet8StyleInfo(int iFodo,
|
|||||||
NO_DBG_DEC(pStyle->usListIndex);
|
NO_DBG_DEC(pStyle->usListIndex);
|
||||||
break;
|
break;
|
||||||
case 0x4610: /* Nest dxaLeft */
|
case 0x4610: /* Nest dxaLeft */
|
||||||
sTmp = (short)usGetWord(
|
sTmp = (short) usGetWord(
|
||||||
iFodo + iFodoOff + 2, aucGrpprl);
|
iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
pStyle->sLeftIndent += sTmp;
|
pStyle->sLeftIndent += sTmp;
|
||||||
if (pStyle->sLeftIndent < 0) {
|
if (pStyle->sLeftIndent < 0) {
|
||||||
@ -580,19 +592,19 @@ vGet8StyleInfo(int iFodo,
|
|||||||
break;
|
break;
|
||||||
case 0xc60d: /* ChgTabsPapx */
|
case 0xc60d: /* ChgTabsPapx */
|
||||||
case 0xc615: /* ChgTabs */
|
case 0xc615: /* ChgTabs */
|
||||||
iTmp = (int)ucGetByte(iFodo + iFodoOff + 2, aucGrpprl);
|
iTmp = (int) ucGetByte(iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
if (iTmp < 2) {
|
if (iTmp < 2) {
|
||||||
iInfoLen = 1;
|
iInfoLen = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
NO_DBG_DEC(iTmp);
|
NO_DBG_DEC(iTmp);
|
||||||
iDel = (int)ucGetByte(iFodo + iFodoOff + 3, aucGrpprl);
|
iDel = (int) ucGetByte(iFodo + iFodoOff + 3, aucGrpprl);
|
||||||
if (iTmp < 2 + 2 * iDel) {
|
if (iTmp < 2 + 2 * iDel) {
|
||||||
iInfoLen = 1;
|
iInfoLen = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
NO_DBG_DEC(iDel);
|
NO_DBG_DEC(iDel);
|
||||||
iAdd = (int)ucGetByte(
|
iAdd = (int) ucGetByte(
|
||||||
iFodo + iFodoOff + 4 + 2 * iDel, aucGrpprl);
|
iFodo + iFodoOff + 4 + 2 * iDel, aucGrpprl);
|
||||||
if (iTmp < 2 + 2 * iDel + 2 * iAdd) {
|
if (iTmp < 2 + 2 * iDel + 2 * iAdd) {
|
||||||
iInfoLen = 1;
|
iInfoLen = 1;
|
||||||
@ -601,17 +613,17 @@ vGet8StyleInfo(int iFodo,
|
|||||||
NO_DBG_DEC(iAdd);
|
NO_DBG_DEC(iAdd);
|
||||||
break;
|
break;
|
||||||
case 0x840e: /* dxaRight */
|
case 0x840e: /* dxaRight */
|
||||||
pStyle->sRightIndent = (short)usGetWord(
|
pStyle->sRightIndent = (short) usGetWord(
|
||||||
iFodo + iFodoOff + 2, aucGrpprl);
|
iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
NO_DBG_DEC(pStyle->sRightIndent);
|
NO_DBG_DEC(pStyle->sRightIndent);
|
||||||
break;
|
break;
|
||||||
case 0x840f: /* dxaLeft */
|
case 0x840f: /* dxaLeft */
|
||||||
pStyle->sLeftIndent = (short)usGetWord(
|
pStyle->sLeftIndent = (short) usGetWord(
|
||||||
iFodo + iFodoOff + 2, aucGrpprl);
|
iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
NO_DBG_DEC(pStyle->sLeftIndent);
|
NO_DBG_DEC(pStyle->sLeftIndent);
|
||||||
break;
|
break;
|
||||||
case 0x8411: /* dxaLeft1 */
|
case 0x8411: /* dxaLeft1 */
|
||||||
pStyle->sLeftIndent1 = (short)usGetWord(
|
pStyle->sLeftIndent1 = (short) usGetWord(
|
||||||
iFodo + iFodoOff + 2, aucGrpprl);
|
iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
NO_DBG_DEC(pStyle->sLeftIndent1);
|
NO_DBG_DEC(pStyle->sLeftIndent1);
|
||||||
break;
|
break;
|
||||||
@ -626,7 +638,7 @@ vGet8StyleInfo(int iFodo,
|
|||||||
NO_DBG_DEC(pStyle->usAfterIndent);
|
NO_DBG_DEC(pStyle->usAfterIndent);
|
||||||
break;
|
break;
|
||||||
case 0xc63e: /* anld */
|
case 0xc63e: /* anld */
|
||||||
iTmp = (int)ucGetByte(
|
iTmp = (int) ucGetByte(
|
||||||
iFodo + iFodoOff + 2, aucGrpprl);
|
iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
DBG_DEC_C(iTmp < 84, iTmp);
|
DBG_DEC_C(iTmp < 84, iTmp);
|
||||||
if (iTmp >= 1) {
|
if (iTmp >= 1) {
|
||||||
@ -634,13 +646,13 @@ vGet8StyleInfo(int iFodo,
|
|||||||
iFodo + iFodoOff + 3, aucGrpprl);
|
iFodo + iFodoOff + 3, aucGrpprl);
|
||||||
}
|
}
|
||||||
if (tList6.ucNFC != LIST_BULLETS && iTmp >= 2) {
|
if (tList6.ucNFC != LIST_BULLETS && iTmp >= 2) {
|
||||||
iBefore = (int)ucGetByte(
|
iBefore = (int) ucGetByte(
|
||||||
iFodo + iFodoOff + 4, aucGrpprl);
|
iFodo + iFodoOff + 4, aucGrpprl);
|
||||||
} else {
|
} else {
|
||||||
iBefore = 0;
|
iBefore = 0;
|
||||||
}
|
}
|
||||||
if (iTmp >= 12) {
|
if (iTmp >= 12) {
|
||||||
tList6.ulStartAt = (ULONG)usGetWord(
|
tList6.ulStartAt = (ULONG) usGetWord(
|
||||||
iFodo + iFodoOff + 13, aucGrpprl);
|
iFodo + iFodoOff + 13, aucGrpprl);
|
||||||
}
|
}
|
||||||
if (iTmp >= iBefore + 22) {
|
if (iTmp >= iBefore + 22) {
|
||||||
@ -664,7 +676,7 @@ vGet8StyleInfo(int iFodo,
|
|||||||
|
|
||||||
if (pStyle->usListIndex == 2047) {
|
if (pStyle->usListIndex == 2047) {
|
||||||
/* Old style list */
|
/* Old style list */
|
||||||
pStyle->usStartAt = (USHORT)tList6.ulStartAt;
|
pStyle->usStartAt = (USHORT) tList6.ulStartAt;
|
||||||
pStyle->usListChar = tList6.usListChar;
|
pStyle->usListChar = tList6.usListChar;
|
||||||
pStyle->ucNFC = tList6.ucNFC;
|
pStyle->ucNFC = tList6.ucNFC;
|
||||||
} else {
|
} else {
|
||||||
@ -672,8 +684,8 @@ vGet8StyleInfo(int iFodo,
|
|||||||
pList = pGetListInfo(pStyle->usListIndex, pStyle->ucListLevel);
|
pList = pGetListInfo(pStyle->usListIndex, pStyle->ucListLevel);
|
||||||
if (pList != NULL) {
|
if (pList != NULL) {
|
||||||
pStyle->bNoRestart = pList->bNoRestart;
|
pStyle->bNoRestart = pList->bNoRestart;
|
||||||
fail(pList->ulStartAt > (ULONG)USHRT_MAX);
|
fail(pList->ulStartAt > (ULONG) USHRT_MAX);
|
||||||
pStyle->usStartAt = (USHORT)pList->ulStartAt;
|
pStyle->usStartAt = (USHORT) pList->ulStartAt;
|
||||||
pStyle->usListChar = pList->usListChar;
|
pStyle->usListChar = pList->usListChar;
|
||||||
pStyle->ucNFC = pList->ucNFC;
|
pStyle->ucNFC = pList->ucNFC;
|
||||||
if (pStyle->sLeftIndent <= 0) {
|
if (pStyle->sLeftIndent <= 0) {
|
||||||
@ -689,21 +701,20 @@ vGet8StyleInfo(int iFodo,
|
|||||||
* Returns the value when found, otherwise 0
|
* Returns the value when found, otherwise 0
|
||||||
*/
|
*/
|
||||||
static short
|
static short
|
||||||
sGetLeftIndent(const UCHAR *aucGrpprl, size_t tBytes)
|
sGetLeftIndent(const UCHAR *aucGrpprl, size_t tBytes) {
|
||||||
{
|
|
||||||
int iOffset, iInfoLen;
|
int iOffset, iInfoLen;
|
||||||
USHORT usOpCode, usTmp;
|
USHORT usOpCode, usTmp;
|
||||||
|
|
||||||
fail(aucGrpprl == NULL);
|
fail(aucGrpprl == NULL);
|
||||||
|
|
||||||
iOffset = 0;
|
iOffset = 0;
|
||||||
while (tBytes >= (size_t)iOffset + 4) {
|
while (tBytes >= (size_t) iOffset + 4) {
|
||||||
usOpCode = usGetWord(iOffset, aucGrpprl);
|
usOpCode = usGetWord(iOffset, aucGrpprl);
|
||||||
if (usOpCode == 0x840f) { /* dxaLeft */
|
if (usOpCode == 0x840f) { /* dxaLeft */
|
||||||
usTmp = usGetWord(iOffset + 2, aucGrpprl);
|
usTmp = usGetWord(iOffset + 2, aucGrpprl);
|
||||||
if (usTmp <= 0x7fff) {
|
if (usTmp <= 0x7fff) {
|
||||||
NO_DBG_DEC(usTmp);
|
NO_DBG_DEC(usTmp);
|
||||||
return (short)usTmp;
|
return (short) usTmp;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
iInfoLen = iGet8InfoLength(iOffset, aucGrpprl);
|
iInfoLen = iGet8InfoLength(iOffset, aucGrpprl);
|
||||||
@ -720,8 +731,7 @@ void
|
|||||||
vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
const UCHAR *aucHeader)
|
const UCHAR *aucHeader) {
|
||||||
{
|
|
||||||
list_block_type tList;
|
list_block_type tList;
|
||||||
const ULONG *aulBlockDepot;
|
const ULONG *aulBlockDepot;
|
||||||
UCHAR *aucLfoInfo, *aucLstfInfo, *aucPapx, *aucXString;
|
UCHAR *aucLfoInfo, *aucLstfInfo, *aucPapx, *aucXString;
|
||||||
@ -760,7 +770,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
/* LFO (List Format Override) */
|
/* LFO (List Format Override) */
|
||||||
ulBeginLfoInfo = ulGetLong(0x2ea, aucHeader); /* fcPlfLfo */
|
ulBeginLfoInfo = ulGetLong(0x2ea, aucHeader); /* fcPlfLfo */
|
||||||
DBG_HEX(ulBeginLfoInfo);
|
DBG_HEX(ulBeginLfoInfo);
|
||||||
tLfoInfoLen = (size_t)ulGetLong(0x2ee, aucHeader); /* lcbPlfLfo */
|
tLfoInfoLen = (size_t) ulGetLong(0x2ee, aucHeader); /* lcbPlfLfo */
|
||||||
DBG_DEC(tLfoInfoLen);
|
DBG_DEC(tLfoInfoLen);
|
||||||
if (tLfoInfoLen == 0) {
|
if (tLfoInfoLen == 0) {
|
||||||
DBG_MSG("No lists in this document");
|
DBG_MSG("No lists in this document");
|
||||||
@ -781,7 +791,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
/* LSTF (LiST data on File) */
|
/* LSTF (LiST data on File) */
|
||||||
ulBeginLstfInfo = ulGetLong(0x2e2, aucHeader); /* fcPlcfLst */
|
ulBeginLstfInfo = ulGetLong(0x2e2, aucHeader); /* fcPlcfLst */
|
||||||
DBG_HEX(ulBeginLstfInfo);
|
DBG_HEX(ulBeginLstfInfo);
|
||||||
tLstfInfoLen = (size_t)ulGetLong(0x2e6, aucHeader); /* lcbPlcfLst */
|
tLstfInfoLen = (size_t) ulGetLong(0x2e6, aucHeader); /* lcbPlcfLst */
|
||||||
DBG_DEC(tLstfInfoLen);
|
DBG_DEC(tLstfInfoLen);
|
||||||
if (tLstfInfoLen == 0) {
|
if (tLstfInfoLen == 0) {
|
||||||
DBG_MSG("No list data on file");
|
DBG_MSG("No list data on file");
|
||||||
@ -797,7 +807,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
}
|
}
|
||||||
NO_DBG_PRINT_BLOCK(aucLstfInfo, tLstfInfoLen);
|
NO_DBG_PRINT_BLOCK(aucLstfInfo, tLstfInfoLen);
|
||||||
|
|
||||||
tLstfRecords = (size_t)usGetWord(0, aucLstfInfo);
|
tLstfRecords = (size_t) usGetWord(0, aucLstfInfo);
|
||||||
if (2 + tLstfRecords * 28 < tLstfInfoLen) {
|
if (2 + tLstfRecords * 28 < tLstfInfoLen) {
|
||||||
DBG_DEC(2 + tLstfRecords * 28);
|
DBG_DEC(2 + tLstfRecords * 28);
|
||||||
DBG_DEC(tLstfInfoLen);
|
DBG_DEC(tLstfInfoLen);
|
||||||
@ -822,11 +832,11 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
for (ucListLevel = 0; ucListLevel < ucMaxLevel; ucListLevel++) {
|
for (ucListLevel = 0; ucListLevel < ucMaxLevel; ucListLevel++) {
|
||||||
fail(aucXString != NULL);
|
fail(aucXString != NULL);
|
||||||
usIstd = usGetWord(
|
usIstd = usGetWord(
|
||||||
tStart + 8 + 2 * (size_t)ucListLevel,
|
tStart + 8 + 2 * (size_t) ucListLevel,
|
||||||
aucLstfInfo);
|
aucLstfInfo);
|
||||||
DBG_DEC_C(usIstd != STI_NIL, usIstd);
|
DBG_DEC_C(usIstd != STI_NIL, usIstd);
|
||||||
NO_DBG_HEX(ulStart);
|
NO_DBG_HEX(ulStart);
|
||||||
(void)memset(&tList, 0, sizeof(tList));
|
(void) memset(&tList, 0, sizeof(tList));
|
||||||
/* Read the lvlf (List leVeL on File) */
|
/* Read the lvlf (List leVeL on File) */
|
||||||
if (!bReadBuffer(pFile, pPPS->tTable.ulSB,
|
if (!bReadBuffer(pFile, pPPS->tTable.ulSB,
|
||||||
aulBlockDepot, tBlockDepotLen,
|
aulBlockDepot, tBlockDepotLen,
|
||||||
@ -849,7 +859,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
(ucTmp & BIT(6)) != 0, "Found one");
|
(ucTmp & BIT(6)) != 0, "Found one");
|
||||||
}
|
}
|
||||||
ulStart += sizeof(aucLvlfInfo);
|
ulStart += sizeof(aucLvlfInfo);
|
||||||
tPapxLen = (size_t)ucGetByte(25, aucLvlfInfo);
|
tPapxLen = (size_t) ucGetByte(25, aucLvlfInfo);
|
||||||
if (tPapxLen != 0) {
|
if (tPapxLen != 0) {
|
||||||
aucPapx = xmalloc(tPapxLen);
|
aucPapx = xmalloc(tPapxLen);
|
||||||
/* Read the Papx */
|
/* Read the Papx */
|
||||||
@ -868,7 +878,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
}
|
}
|
||||||
ulStart += tPapxLen;
|
ulStart += tPapxLen;
|
||||||
ucChpxLen = ucGetByte(24, aucLvlfInfo);
|
ucChpxLen = ucGetByte(24, aucLvlfInfo);
|
||||||
ulStart += (ULONG)ucChpxLen;
|
ulStart += (ULONG) ucChpxLen;
|
||||||
/* Read the length of the XString */
|
/* Read the length of the XString */
|
||||||
if (!bReadBuffer(pFile, pPPS->tTable.ulSB,
|
if (!bReadBuffer(pFile, pPPS->tTable.ulSB,
|
||||||
aulBlockDepot, tBlockDepotLen,
|
aulBlockDepot, tBlockDepotLen,
|
||||||
@ -878,7 +888,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
NO_DBG_PRINT_BLOCK(aucXst, sizeof(aucXst));
|
NO_DBG_PRINT_BLOCK(aucXst, sizeof(aucXst));
|
||||||
tXstLen = (size_t)usGetWord(0, aucXst);
|
tXstLen = (size_t) usGetWord(0, aucXst);
|
||||||
ulStart += sizeof(aucXst);
|
ulStart += sizeof(aucXst);
|
||||||
if (tXstLen == 0) {
|
if (tXstLen == 0) {
|
||||||
tList.usListChar = DEFAULT_LISTCHAR;
|
tList.usListChar = DEFAULT_LISTCHAR;
|
||||||
@ -906,7 +916,7 @@ vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
if (ucTmp == 0) {
|
if (ucTmp == 0) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
tOff = (size_t)ucTmp;
|
tOff = (size_t) ucTmp;
|
||||||
}
|
}
|
||||||
tOff *= 2; /* Offset in chars to offset in bytes */
|
tOff *= 2; /* Offset in chars to offset in bytes */
|
||||||
NO_DBG_DEC(tOff);
|
NO_DBG_DEC(tOff);
|
||||||
@ -937,8 +947,7 @@ void
|
|||||||
vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
const UCHAR *aucHeader)
|
const UCHAR *aucHeader) {
|
||||||
{
|
|
||||||
row_block_type tRow;
|
row_block_type tRow;
|
||||||
style_block_type tStyle;
|
style_block_type tStyle;
|
||||||
ULONG *aulParfPage;
|
ULONG *aulParfPage;
|
||||||
@ -956,7 +965,7 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
|
|
||||||
ulBeginParfInfo = ulGetLong(0x102, aucHeader); /* fcPlcfbtePapx */
|
ulBeginParfInfo = ulGetLong(0x102, aucHeader); /* fcPlcfbtePapx */
|
||||||
NO_DBG_HEX(ulBeginParfInfo);
|
NO_DBG_HEX(ulBeginParfInfo);
|
||||||
tParfInfoLen = (size_t)ulGetLong(0x106, aucHeader); /* lcbPlcfbtePapx */
|
tParfInfoLen = (size_t) ulGetLong(0x106, aucHeader); /* lcbPlcfbtePapx */
|
||||||
NO_DBG_DEC(tParfInfoLen);
|
NO_DBG_DEC(tParfInfoLen);
|
||||||
if (tParfInfoLen < 4) {
|
if (tParfInfoLen < 4) {
|
||||||
DBG_DEC(tParfInfoLen);
|
DBG_DEC(tParfInfoLen);
|
||||||
@ -974,7 +983,7 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
tLen = (tParfInfoLen / 4 - 1) / 2;
|
tLen = (tParfInfoLen / 4 - 1) / 2;
|
||||||
aulParfPage = xcalloc(tLen, sizeof(ULONG));
|
aulParfPage = xcalloc(tLen, sizeof(ULONG));
|
||||||
for (iIndex = 0, tOffset = (tLen + 1) * 4;
|
for (iIndex = 0, tOffset = (tLen + 1) * 4;
|
||||||
iIndex < (int)tLen;
|
iIndex < (int) tLen;
|
||||||
iIndex++, tOffset += 4) {
|
iIndex++, tOffset += 4) {
|
||||||
aulParfPage[iIndex] = ulGetLong(tOffset, aucBuffer);
|
aulParfPage[iIndex] = ulGetLong(tOffset, aucBuffer);
|
||||||
NO_DBG_DEC(aulParfPage[iIndex]);
|
NO_DBG_DEC(aulParfPage[iIndex]);
|
||||||
@ -983,9 +992,9 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
aucBuffer = xfree(aucBuffer);
|
aucBuffer = xfree(aucBuffer);
|
||||||
NO_DBG_PRINT_BLOCK(aucHeader, HEADER_SIZE);
|
NO_DBG_PRINT_BLOCK(aucHeader, HEADER_SIZE);
|
||||||
|
|
||||||
(void)memset(&tRow, 0, sizeof(tRow));
|
(void) memset(&tRow, 0, sizeof(tRow));
|
||||||
ulCharPosFirst = CP_INVALID;
|
ulCharPosFirst = CP_INVALID;
|
||||||
for (iIndex = 0; iIndex < (int)tLen; iIndex++) {
|
for (iIndex = 0; iIndex < (int) tLen; iIndex++) {
|
||||||
fail(aulParfPage[iIndex] > ULONG_MAX / BIG_BLOCK_SIZE);
|
fail(aulParfPage[iIndex] > ULONG_MAX / BIG_BLOCK_SIZE);
|
||||||
if (!bReadBuffer(pFile, pPPS->tWordDocument.ulSB,
|
if (!bReadBuffer(pFile, pPPS->tWordDocument.ulSB,
|
||||||
aulBBD, tBBDLen, BIG_BLOCK_SIZE,
|
aulBBD, tBBDLen, BIG_BLOCK_SIZE,
|
||||||
@ -995,20 +1004,31 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
NO_DBG_PRINT_BLOCK(aucFpage, BIG_BLOCK_SIZE);
|
NO_DBG_PRINT_BLOCK(aucFpage, BIG_BLOCK_SIZE);
|
||||||
iRun = (int)ucGetByte(0x1ff, aucFpage);
|
iRun = (int) ucGetByte(0x1ff, aucFpage);
|
||||||
NO_DBG_DEC(iRun);
|
NO_DBG_DEC(iRun);
|
||||||
for (iIndex2 = 0; iIndex2 < iRun; iIndex2++) {
|
for (iIndex2 = 0; iIndex2 < iRun; iIndex2++) {
|
||||||
NO_DBG_HEX(ulGetLong(iIndex2 * 4, aucFpage));
|
NO_DBG_HEX(ulGetLong(iIndex2 * 4, aucFpage));
|
||||||
iFodo = 2 * (int)ucGetByte(
|
|
||||||
|
// HOTFIX for buffer overflow (fuzzing)
|
||||||
|
if ((iRun + 1) * 4 + iIndex2 * 13 >= BIG_BLOCK_SIZE - 1) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
iFodo = 2 * (int) ucGetByte(
|
||||||
(iRun + 1) * 4 + iIndex2 * 13, aucFpage);
|
(iRun + 1) * 4 + iIndex2 * 13, aucFpage);
|
||||||
if (iFodo <= 0) {
|
if (iFodo <= 0) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
iLen = 2 * (int)ucGetByte(iFodo, aucFpage);
|
iLen = 2 * (int) ucGetByte(iFodo, aucFpage);
|
||||||
if (iLen == 0) {
|
if (iLen == 0) {
|
||||||
iFodo++;
|
iFodo++;
|
||||||
iLen = 2 * (int)ucGetByte(iFodo, aucFpage);
|
iLen = 2 * (int) ucGetByte(iFodo, aucFpage);
|
||||||
|
}
|
||||||
|
|
||||||
|
// HOTFIX for buffer overflow (fuzzing)
|
||||||
|
if (iFodo + 1 >= BIG_BLOCK_SIZE - sizeof(short)) {
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
usIstd = usGetWord(iFodo + 1, aucFpage);
|
usIstd = usGetWord(iFodo + 1, aucFpage);
|
||||||
@ -1047,7 +1067,7 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
NO_DBG_HEX_C(tRow.ulFileOffsetEnd == FC_INVALID,
|
NO_DBG_HEX_C(tRow.ulFileOffsetEnd == FC_INVALID,
|
||||||
ulCharPosLast);
|
ulCharPosLast);
|
||||||
vAdd2RowInfoList(&tRow);
|
vAdd2RowInfoList(&tRow);
|
||||||
(void)memset(&tRow, 0, sizeof(tRow));
|
(void) memset(&tRow, 0, sizeof(tRow));
|
||||||
ulCharPosFirst = CP_INVALID;
|
ulCharPosFirst = CP_INVALID;
|
||||||
break;
|
break;
|
||||||
case found_nothing:
|
case found_nothing:
|
||||||
@ -1067,8 +1087,7 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
*/
|
*/
|
||||||
void
|
void
|
||||||
vGet8FontInfo(int iFodo, USHORT usIstd,
|
vGet8FontInfo(int iFodo, USHORT usIstd,
|
||||||
const UCHAR *aucGrpprl, int iBytes, font_block_type *pFont)
|
const UCHAR *aucGrpprl, int iBytes, font_block_type *pFont) {
|
||||||
{
|
|
||||||
long lTmp;
|
long lTmp;
|
||||||
int iFodoOff, iInfoLen;
|
int iFodoOff, iInfoLen;
|
||||||
USHORT usFtc0, usFtc1, usFtc2, usTmp;
|
USHORT usFtc0, usFtc1, usFtc2, usTmp;
|
||||||
@ -1281,13 +1300,13 @@ vGet8FontInfo(int iFodo, USHORT usIstd,
|
|||||||
break;
|
break;
|
||||||
case 0xca4a: /* cHpsInc1 */
|
case 0xca4a: /* cHpsInc1 */
|
||||||
usTmp = usGetWord(iFodo + iFodoOff + 2, aucGrpprl);
|
usTmp = usGetWord(iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
lTmp = (long)pFont->usFontSize + (long)usTmp;
|
lTmp = (long) pFont->usFontSize + (long) usTmp;
|
||||||
if (lTmp < 8) {
|
if (lTmp < 8) {
|
||||||
pFont->usFontSize = 8;
|
pFont->usFontSize = 8;
|
||||||
} else if (lTmp > 32766) {
|
} else if (lTmp > 32766) {
|
||||||
pFont->usFontSize = 32766;
|
pFont->usFontSize = 32766;
|
||||||
} else {
|
} else {
|
||||||
pFont->usFontSize = (USHORT)lTmp;
|
pFont->usFontSize = (USHORT) lTmp;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 0xca4c: /* cMajority50 */
|
case 0xca4c: /* cMajority50 */
|
||||||
@ -1297,7 +1316,7 @@ vGet8FontInfo(int iFodo, USHORT usIstd,
|
|||||||
ucTmp = ucGetByte(iFodo + iFodoOff + 2, aucGrpprl);
|
ucTmp = ucGetByte(iFodo + iFodoOff + 2, aucGrpprl);
|
||||||
DBG_DEC(ucTmp);
|
DBG_DEC(ucTmp);
|
||||||
if (ucTmp != 0) {
|
if (ucTmp != 0) {
|
||||||
pFont->usFontSize = (USHORT)ucTmp;
|
pFont->usFontSize = (USHORT) ucTmp;
|
||||||
}
|
}
|
||||||
ucTmp = ucGetByte(iFodo + iFodoOff + 3, aucGrpprl);
|
ucTmp = ucGetByte(iFodo + iFodoOff + 3, aucGrpprl);
|
||||||
DBG_DEC(ucTmp);
|
DBG_DEC(ucTmp);
|
||||||
@ -1315,24 +1334,24 @@ vGet8FontInfo(int iFodo, USHORT usIstd,
|
|||||||
NO_DBG_DEC_C(usFtc2 != USHRT_MAX, usFtc2);
|
NO_DBG_DEC_C(usFtc2 != USHRT_MAX, usFtc2);
|
||||||
NO_DBG_DEC_C(usFtc1 != USHRT_MAX, usFtc1);
|
NO_DBG_DEC_C(usFtc1 != USHRT_MAX, usFtc1);
|
||||||
if (usFtc0 <= 0x7fff) {
|
if (usFtc0 <= 0x7fff) {
|
||||||
if (usFtc0 <= (USHORT)UCHAR_MAX) {
|
if (usFtc0 <= (USHORT) UCHAR_MAX) {
|
||||||
pFont->ucFontNumber = (UCHAR)usFtc0;
|
pFont->ucFontNumber = (UCHAR) usFtc0;
|
||||||
} else {
|
} else {
|
||||||
DBG_DEC(usFtc0);
|
DBG_DEC(usFtc0);
|
||||||
DBG_FIXME();
|
DBG_FIXME();
|
||||||
pFont->ucFontNumber = 0;
|
pFont->ucFontNumber = 0;
|
||||||
}
|
}
|
||||||
} else if (usFtc2 <= 0x7fff) {
|
} else if (usFtc2 <= 0x7fff) {
|
||||||
if (usFtc2 <= (USHORT)UCHAR_MAX) {
|
if (usFtc2 <= (USHORT) UCHAR_MAX) {
|
||||||
pFont->ucFontNumber = (UCHAR)usFtc2;
|
pFont->ucFontNumber = (UCHAR) usFtc2;
|
||||||
} else {
|
} else {
|
||||||
DBG_DEC(usFtc2);
|
DBG_DEC(usFtc2);
|
||||||
DBG_FIXME();
|
DBG_FIXME();
|
||||||
pFont->ucFontNumber = 0;
|
pFont->ucFontNumber = 0;
|
||||||
}
|
}
|
||||||
} else if (usFtc1 <= 0x7fff) {
|
} else if (usFtc1 <= 0x7fff) {
|
||||||
if (usFtc1 <= (USHORT)UCHAR_MAX) {
|
if (usFtc1 <= (USHORT) UCHAR_MAX) {
|
||||||
pFont->ucFontNumber = (UCHAR)usFtc1;
|
pFont->ucFontNumber = (UCHAR) usFtc1;
|
||||||
} else {
|
} else {
|
||||||
DBG_DEC(usFtc1);
|
DBG_DEC(usFtc1);
|
||||||
DBG_FIXME();
|
DBG_FIXME();
|
||||||
@ -1348,8 +1367,7 @@ vGet8FontInfo(int iFodo, USHORT usIstd,
|
|||||||
*/
|
*/
|
||||||
static BOOL
|
static BOOL
|
||||||
bGet8PicInfo(int iFodo,
|
bGet8PicInfo(int iFodo,
|
||||||
const UCHAR *aucGrpprl, int iBytes, picture_block_type *pPicture)
|
const UCHAR *aucGrpprl, int iBytes, picture_block_type *pPicture) {
|
||||||
{
|
|
||||||
ULONG ulTmp;
|
ULONG ulTmp;
|
||||||
int iFodoOff, iInfoLen;
|
int iFodoOff, iInfoLen;
|
||||||
BOOL bFound;
|
BOOL bFound;
|
||||||
@ -1405,8 +1423,7 @@ void
|
|||||||
vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
||||||
const ULONG *aulBBD, size_t tBBDLen,
|
const ULONG *aulBBD, size_t tBBDLen,
|
||||||
const ULONG *aulSBD, size_t tSBDLen,
|
const ULONG *aulSBD, size_t tSBDLen,
|
||||||
const UCHAR *aucHeader)
|
const UCHAR *aucHeader) {
|
||||||
{
|
|
||||||
font_block_type tFont;
|
font_block_type tFont;
|
||||||
picture_block_type tPicture;
|
picture_block_type tPicture;
|
||||||
ULONG *aulCharPage;
|
ULONG *aulCharPage;
|
||||||
@ -1422,7 +1439,7 @@ vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
|
|
||||||
ulBeginCharInfo = ulGetLong(0xfa, aucHeader); /* fcPlcfbteChpx */
|
ulBeginCharInfo = ulGetLong(0xfa, aucHeader); /* fcPlcfbteChpx */
|
||||||
NO_DBG_HEX(ulBeginCharInfo);
|
NO_DBG_HEX(ulBeginCharInfo);
|
||||||
tCharInfoLen = (size_t)ulGetLong(0xfe, aucHeader); /* lcbPlcfbteChpx */
|
tCharInfoLen = (size_t) ulGetLong(0xfe, aucHeader); /* lcbPlcfbteChpx */
|
||||||
NO_DBG_DEC(tCharInfoLen);
|
NO_DBG_DEC(tCharInfoLen);
|
||||||
if (tCharInfoLen < 4) {
|
if (tCharInfoLen < 4) {
|
||||||
DBG_DEC(tCharInfoLen);
|
DBG_DEC(tCharInfoLen);
|
||||||
@ -1440,7 +1457,7 @@ vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
tLen = (tCharInfoLen / 4 - 1) / 2;
|
tLen = (tCharInfoLen / 4 - 1) / 2;
|
||||||
aulCharPage = xcalloc(tLen, sizeof(ULONG));
|
aulCharPage = xcalloc(tLen, sizeof(ULONG));
|
||||||
for (iIndex = 0, tOffset = (tLen + 1) * 4;
|
for (iIndex = 0, tOffset = (tLen + 1) * 4;
|
||||||
iIndex < (int)tLen;
|
iIndex < (int) tLen;
|
||||||
iIndex++, tOffset += 4) {
|
iIndex++, tOffset += 4) {
|
||||||
aulCharPage[iIndex] = ulGetLong(tOffset, aucBuffer);
|
aulCharPage[iIndex] = ulGetLong(tOffset, aucBuffer);
|
||||||
NO_DBG_DEC(aulCharPage[iIndex]);
|
NO_DBG_DEC(aulCharPage[iIndex]);
|
||||||
@ -1449,7 +1466,7 @@ vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
aucBuffer = xfree(aucBuffer);
|
aucBuffer = xfree(aucBuffer);
|
||||||
NO_DBG_PRINT_BLOCK(aucHeader, HEADER_SIZE);
|
NO_DBG_PRINT_BLOCK(aucHeader, HEADER_SIZE);
|
||||||
|
|
||||||
for (iIndex = 0; iIndex < (int)tLen; iIndex++) {
|
for (iIndex = 0; iIndex < (int) tLen; iIndex++) {
|
||||||
fail(aulCharPage[iIndex] > ULONG_MAX / BIG_BLOCK_SIZE);
|
fail(aulCharPage[iIndex] > ULONG_MAX / BIG_BLOCK_SIZE);
|
||||||
if (!bReadBuffer(pFile, pPPS->tWordDocument.ulSB,
|
if (!bReadBuffer(pFile, pPPS->tWordDocument.ulSB,
|
||||||
aulBBD, tBBDLen, BIG_BLOCK_SIZE,
|
aulBBD, tBBDLen, BIG_BLOCK_SIZE,
|
||||||
@ -1459,15 +1476,15 @@ vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
NO_DBG_PRINT_BLOCK(aucFpage, BIG_BLOCK_SIZE);
|
NO_DBG_PRINT_BLOCK(aucFpage, BIG_BLOCK_SIZE);
|
||||||
iRun = (int)ucGetByte(0x1ff, aucFpage);
|
iRun = (int) ucGetByte(0x1ff, aucFpage);
|
||||||
NO_DBG_DEC(iRun);
|
NO_DBG_DEC(iRun);
|
||||||
for (iIndex2 = 0; iIndex2 < iRun; iIndex2++) {
|
for (iIndex2 = 0; iIndex2 < iRun; iIndex2++) {
|
||||||
ulCharPos = ulGetLong(iIndex2 * 4, aucFpage);
|
ulCharPos = ulGetLong(iIndex2 * 4, aucFpage);
|
||||||
ulFileOffset = ulCharPos2FileOffset(ulCharPos);
|
ulFileOffset = ulCharPos2FileOffset(ulCharPos);
|
||||||
iFodo = 2 * (int)ucGetByte(
|
iFodo = 2 * (int) ucGetByte(
|
||||||
(iRun + 1) * 4 + iIndex2, aucFpage);
|
(iRun + 1) * 4 + iIndex2, aucFpage);
|
||||||
|
|
||||||
iLen = (int)ucGetByte(iFodo, aucFpage);
|
iLen = (int) ucGetByte(iFodo, aucFpage);
|
||||||
|
|
||||||
usIstd = usGetIstd(ulFileOffset);
|
usIstd = usGetIstd(ulFileOffset);
|
||||||
vFillFontFromStylesheet(usIstd, &tFont);
|
vFillFontFromStylesheet(usIstd, &tFont);
|
||||||
@ -1482,7 +1499,7 @@ vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
(void)memset(&tPicture, 0, sizeof(tPicture));
|
(void) memset(&tPicture, 0, sizeof(tPicture));
|
||||||
if (bGet8PicInfo(iFodo, aucFpage + 1,
|
if (bGet8PicInfo(iFodo, aucFpage + 1,
|
||||||
iLen - 1, &tPicture)) {
|
iLen - 1, &tPicture)) {
|
||||||
tPicture.ulFileOffset = ulFileOffset;
|
tPicture.ulFileOffset = ulFileOffset;
|
||||||
|
|||||||
@ -63,7 +63,7 @@ vAdd2PropModList(const UCHAR *aucPropMod)
|
|||||||
NO_DBG_DEC(tNextFree);
|
NO_DBG_DEC(tNextFree);
|
||||||
|
|
||||||
tLen = 2 + (size_t)usGetWord(0, aucPropMod);
|
tLen = 2 + (size_t)usGetWord(0, aucPropMod);
|
||||||
if (isOutOfBounds(tLen)) {
|
if (isOutOfBounds(tLen, sizeof(short))) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
NO_DBG_HEX(tLen);
|
NO_DBG_HEX(tLen);
|
||||||
|
|||||||
@ -2,8 +2,8 @@
|
|||||||
|
|
||||||
static __thread ULONG buffer;
|
static __thread ULONG buffer;
|
||||||
|
|
||||||
BOOL isOutOfBounds(ULONG offset) {
|
BOOL isOutOfBounds(ULONG offset, size_t size) {
|
||||||
return offset > buffer;
|
return offset >= buffer - size;
|
||||||
}
|
}
|
||||||
|
|
||||||
void setBufferSize(ULONG size) {
|
void setBufferSize(ULONG size) {
|
||||||
|
|||||||
@ -220,7 +220,7 @@ vAnalyseSummaryInfo(const UCHAR *aucBuffer)
|
|||||||
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
|
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
|
||||||
NO_DBG_DEC(tPropID);
|
NO_DBG_DEC(tPropID);
|
||||||
NO_DBG_HEX(ulOffset);
|
NO_DBG_HEX(ulOffset);
|
||||||
if (isOutOfBounds(ulOffset)) {
|
if (isOutOfBounds(ulOffset, sizeof(long))) {
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
|
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
|
||||||
@ -280,7 +280,7 @@ vAnalyseDocumentSummaryInfo(const UCHAR *aucBuffer)
|
|||||||
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
|
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
|
||||||
NO_DBG_DEC(tPropID);
|
NO_DBG_DEC(tPropID);
|
||||||
NO_DBG_HEX(ulOffset);
|
NO_DBG_HEX(ulOffset);
|
||||||
if (isOutOfBounds(ulOffset)) {
|
if (isOutOfBounds(ulOffset, sizeof(long))) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
|
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user