From e42834b844f3282d8ccb0889abf1b33f3f71e02f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 30 Oct 2018 11:04:20 +0000
Subject: [PATCH] Resolves: rhbz#1643752 crash in specific wpd file

---
 ...43752-bounds-check-m_currentTable-ac.patch | 29 +++++++++++++++++++
 libwpd.spec                                   |  7 ++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch

diff --git a/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch b/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
new file mode 100644
index 0000000..01cce98
--- /dev/null
+++ b/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
@@ -0,0 +1,29 @@
+diff -ru libwpd-0.10.2/src/lib/WP6ContentListener.cpp libwpd-0.10.2.new/src/lib/WP6ContentListener.cpp
+--- libwpd-0.10.2/src/lib/WP6ContentListener.cpp	2017-09-08 18:04:25.000000000 +0100
++++ libwpd-0.10.2.new/src/lib/WP6ContentListener.cpp	2018-10-30 10:54:22.326697162 +0000
+@@ -1311,7 +1311,10 @@
+ 		m_ps->m_tableDefinition.m_columnsProperties.clear();
+ 
+ 		// pull a table definition off of our stack
+-		m_parseState->m_currentTable = m_parseState->m_tableList[m_parseState->m_nextTableIndice++];
++		auto index = m_parseState->m_nextTableIndice++;
++		if (index >= m_parseState->m_tableList.size())
++			throw ParseException();
++		m_parseState->m_currentTable = m_parseState->m_tableList[index];
+ 		if (!m_parseState->m_currentTable)
+ 			throw ParseException();
+ 		m_parseState->m_currentTable->makeBordersConsistent();
+diff -ru libwpd-0.10.2/src/lib/WPXTable.h libwpd-0.10.2.new/src/lib/WPXTable.h
+--- libwpd-0.10.2/src/lib/WPXTable.h	2015-12-30 08:27:30.000000000 +0000
++++ libwpd-0.10.2.new/src/lib/WPXTable.h	2018-10-30 10:55:41.264362182 +0000
+@@ -92,6 +92,10 @@
+ 	{
+ 		m_tableList->push_back(table);
+ 	}
++	size_t size() const
++	{
++		return m_tableList->size();
++	}
+ 
+ private:
+ 	void release();
diff --git a/libwpd.spec b/libwpd.spec
index 36b93ff..516a86b 100644
--- a/libwpd.spec
+++ b/libwpd.spec
@@ -3,7 +3,7 @@
 Name: libwpd
 Summary: A library for import of WordPerfect documents
 Version: 0.10.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Source: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz
 URL: http://libwpd.sf.net/
 License: LGPLv2+ or MPLv2.0
@@ -17,6 +17,8 @@ BuildRequires: pkgconfig(librevenge-generators-0.0)
 BuildRequires: pkgconfig(librevenge-stream-0.0)
 BuildRequires: pkgconfig(zlib)
 
+Patch0: 0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
+
 %description
 %{name} is a library for import of WordPerfect documents.
 
@@ -94,6 +96,9 @@ install -m 0644 wpd2*.1 %{buildroot}/%{_mandir}/man1
 %doc docs/%{name}.png
 
 %changelog
+* Tue Oct 30 2018 Caolán McNamara <caolanm@redhat.com> - 0.10.2-4
+- Resolves: rhbz#1643752 crash in specific wpd file
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild