diff options
| author | Aleksander Morgado <aleksander@lanedo.com> | 2010-08-19 17:43:10 +0200 |
|---|---|---|
| committer | Aleksander Morgado <aleksander@lanedo.com> | 2010-08-19 17:43:10 +0200 |
| commit | 9ecc78e237309c758d21db6cb646cb423df8d9cc (patch) | |
| tree | 5fdb5f91ee787b7bfe0c2458e195f2f5a674dc7e | |
| parent | 7a9b3ca9d5d5e0e785a0cb4a818cac41e9ba4bbb (diff) | |
| download | tracker-9ecc78e237309c758d21db6cb646cb423df8d9cc.tar.gz | |
Fixes GB#627281: Crash in msoffice extractor
* Length of PRC structure was wrongly read when greater than 256 bytes.
| -rw-r--r-- | src/tracker-extract/tracker-extract-msoffice.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/tracker-extract/tracker-extract-msoffice.c b/src/tracker-extract/tracker-extract-msoffice.c index 099c7aa94..2360c0fe6 100644 --- a/src/tracker-extract/tracker-extract-msoffice.c +++ b/src/tracker-extract/tracker-extract-msoffice.c @@ -866,12 +866,21 @@ extract_msword_content (GsfInfile *infile, while (TRUE) { if (clx[i] == 2) { + /* Nice, a proper structure with contents, no need to + * iterate more. */ lcb_piece_table = read_32bit (clx + (i + 1)); piece_table = clx + i + 5; piece_count = (lcb_piece_table - 4) / 12; break; } else if (clx[i] == 1) { - i = i + 2 + clx[i + 1]; + /* Oh, a PRC structure with properties of text, not + * real text, so skip it */ + guint16 GrpPrl_len; + + + GrpPrl_len = read_16bit (&clx[i+1]); + /* 3 is the length of clxt (1byte) and cbGrpprl(2bytes) */ + i = i + 3 + GrpPrl_len; } else { break; } |