blob: 1a68b3f9d88c49b1dba10f40334437c9bf063028 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
index 02a82a0..78ac31d 100644
--- a/filters/words/msword-odf/wv2/src/styles.cpp
+++ b/filters/words/msword-odf/wv2/src/styles.cpp
@@ -248,6 +248,11 @@ throw(InvalidFormatException)
#ifdef WV2_DEBUG_STYLESHEET
wvlog << "cbUPX: " << cbUPX << endl;
#endif
+ // do not overflow the allocated buffer grupx
+ if (offset + cbUPX > grupxLen) {
+ wvlog << "====> Error: grupx would overflow!" << endl;
+ return false;
+ }
for ( U16 j = 0; j < cbUPX; ++j ) {
grupx[ offset + j ] = stream->readU8(); // read the whole UPX
#ifdef WV2_DEBUG_STYLESHEET
|
