[Libreoffice-commits] .: 12 commits - basic/source cui/source editeng/source extensions/source filter/source hunspell/hunspell-1.3.2-overflow.patch hunspell/makefile.mk neon/makefile.mk neon/neon_ne_set_request_flag.patch redland/raptor sc/source sd/source sot/source sw/source vcl/source writerfilter/source xmloff/source xpdf/makefile.mk xpdf/xpdf-3.02-gfxColorMaxComps.patch

Michael Stahl mst at kemper.freedesktop.org
Fri Jul 27 08:52:04 PDT 2012


 basic/source/runtime/runtime.cxx                    |    6 
 cui/source/tabpages/numpages.cxx                    |    6 
 editeng/source/rtf/svxrtf.cxx                       |    4 
 extensions/source/scanner/sane.cxx                  |    2 
 filter/source/graphicfilter/icgm/chart.cxx          |    2 
 hunspell/hunspell-1.3.2-overflow.patch              |   91 +++
 hunspell/makefile.mk                                |    1 
 neon/makefile.mk                                    |    2 
 neon/neon_ne_set_request_flag.patch                 |   11 
 redland/raptor/makefile.mk                          |    1 
 redland/raptor/raptor-1.4.18.patch.fixes            |   42 +
 sc/source/filter/excel/fontbuff.cxx                 |    2 
 sc/source/filter/excel/tokstack.cxx                 |  514 ++++++++++++--------
 sc/source/filter/inc/lotfntbf.hxx                   |    5 
 sc/source/filter/inc/lotimpop.hxx                   |    1 
 sc/source/filter/inc/root.hxx                       |    3 
 sc/source/filter/inc/scflt.hxx                      |    1 
 sc/source/filter/inc/tokstack.hxx                   |   33 -
 sc/source/filter/lotus/filter.cxx                   |   15 
 sc/source/filter/lotus/lotattr.cxx                  |    9 
 sc/source/filter/lotus/lotform.cxx                  |   24 
 sc/source/filter/lotus/lotimpop.cxx                 |   96 +--
 sc/source/filter/lotus/lotread.cxx                  |   36 -
 sc/source/filter/lotus/memory.cxx                   |   57 --
 sc/source/filter/lotus/op.cxx                       |  212 ++++----
 sc/source/filter/lotus/tool.cxx                     |   15 
 sc/source/filter/qpro/qpro.cxx                      |   20 
 sc/source/filter/starcalc/scflt.cxx                 |  225 +++++---
 sd/source/core/sdpage.cxx                           |    6 
 sd/source/filter/ppt/pptanimations.hxx              |    2 
 sot/source/sdstor/stg.cxx                           |  117 ++--
 sot/source/sdstor/stgavl.cxx                        |   78 +--
 sot/source/sdstor/stgcache.cxx                      |   57 +-
 sot/source/sdstor/stgcache.hxx                      |    2 
 sot/source/sdstor/stgdir.cxx                        |   58 +-
 sot/source/sdstor/stgdir.hxx                        |    2 
 sot/source/sdstor/stgelem.cxx                       |   76 ++
 sot/source/sdstor/stgelem.hxx                       |    3 
 sot/source/sdstor/stgio.cxx                         |   31 -
 sot/source/sdstor/stgole.cxx                        |   35 -
 sot/source/sdstor/stgstrms.cxx                      |   91 ++-
 sot/source/sdstor/stgstrms.hxx                      |    4 
 sot/source/sdstor/storinfo.cxx                      |    4 
 sw/source/core/doc/docnum.cxx                       |    8 
 sw/source/core/doc/number.cxx                       |    4 
 sw/source/filter/rtf/rtffld.cxx                     |   19 
 sw/source/filter/rtf/rtffly.cxx                     |    8 
 sw/source/filter/rtf/rtftbl.cxx                     |   12 
 sw/source/filter/rtf/swparrtf.cxx                   |    6 
 sw/source/filter/ww1/w1filter.cxx                   |    2 
 sw/source/filter/ww8/ww8graf.cxx                    |    2 
 sw/source/filter/ww8/ww8par5.cxx                    |    8 
 sw/source/filter/ww8/ww8par6.cxx                    |    2 
 sw/source/ui/app/docsh.cxx                          |   11 
 sw/source/ui/dialog/ascfldlg.cxx                    |    2 
 sw/source/ui/misc/num.cxx                           |    5 
 sw/source/ui/table/tabledlg.cxx                     |    6 
 sw/source/ui/utlui/unotools.cxx                     |    6 
 vcl/source/gdi/metric.cxx                           |    2 
 vcl/source/gdi/outmap.cxx                           |   11 
 writerfilter/source/ooxml/OOXMLFastTokenHandler.cxx |   12 
 xmloff/source/style/weighhdl.cxx                    |    2 
 xpdf/makefile.mk                                    |    2 
 xpdf/xpdf-3.02-gfxColorMaxComps.patch               |   24 
 64 files changed, 1383 insertions(+), 773 deletions(-)

New commits:
commit e3d18d2687639dd7687b658cf621f1e9d22b71f4
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:31:48 2012 +0200

    xpdf: fix some warnings

diff --git a/xpdf/makefile.mk b/xpdf/makefile.mk
index 046994f..ff6dd6a 100644
--- a/xpdf/makefile.mk
+++ b/xpdf/makefile.mk
@@ -48,7 +48,7 @@ dummy:
 
 TARFILE_NAME=xpdf-3.02
 TARFILE_MD5=599dc4cc65a07ee868cf92a667a913d2
-PATCH_FILES=$(TARFILE_NAME).patch xpdf-3.02-ooopwd.patch
+PATCH_FILES=$(TARFILE_NAME).patch xpdf-3.02-ooopwd.patch xpdf-3.02-gfxColorMaxComps.patch
 
 CONFIGURE_DIR=
 BUILD_DIR=$(CONFIGURE_DIR)
diff --git a/xpdf/xpdf-3.02-gfxColorMaxComps.patch b/xpdf/xpdf-3.02-gfxColorMaxComps.patch
new file mode 100644
index 0000000..3f0870b
--- /dev/null
+++ b/xpdf/xpdf-3.02-gfxColorMaxComps.patch
@@ -0,0 +1,24 @@
+--- misc/xpdf-3.02/xpdf/GfxState.cc	2007-02-27 23:05:52.000000000 +0100
++++ misc/build/xpdf-3.02/xpdf/GfxState.cc	2011-05-18 20:08:45.003807128 +0200
+@@ -2678,7 +2678,7 @@
+   double x[16], y[16];
+   Guint xi, yi;
+   GfxColorComp c[4][gfxColorMaxComps];
+-  Guint ci[4];
++  Guint ci[gfxColorMaxComps];
+   GfxShadingBitBuf *bitBuf;
+   Object obj1, obj2;
+   int i, j;
+--- misc/xpdf-3.02/xpdf/GfxState.h	2007-02-27 23:05:52.000000000 +0100
++++ misc/build/xpdf-3.02/xpdf/GfxState.h	2011-05-18 20:13:26.973936566 +0200
+@@ -393,8 +393,8 @@
+ 
+   int nComps;			// number of color components (1, 3, or 4)
+   GfxColorSpace *alt;		// alternate color space
+-  double rangeMin[4];		// min values for each component
+-  double rangeMax[4];		// max values for each component
++  double rangeMin[gfxColorMaxComps];	// min values for each component
++  double rangeMax[gfxColorMaxComps];	// max values for each component
+   Ref iccProfileStream;		// the ICC profile
+ };
+ 
commit 31dbc60506da093ec35911db6dde03b4ce31169b
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:31:34 2012 +0200

    redland: fix some warnings in raptor

diff --git a/redland/raptor/makefile.mk b/redland/raptor/makefile.mk
index 9d8dcf9..635ac56 100644
--- a/redland/raptor/makefile.mk
+++ b/redland/raptor/makefile.mk
@@ -57,6 +57,7 @@ OOO_PATCH_FILES= \
     $(TARFILE_NAME).patch.ooo_build \
     $(TARFILE_NAME).patch.dmake \
     $(TARFILE_NAME).patch.win32 \
+    $(TARFILE_NAME).patch.fixes \
     $(TARFILE_NAME).patch.rindex \
     raptor-aix.patch \
     $(TARFILE_NAME).entities.patch
diff --git a/redland/raptor/raptor-1.4.18.patch.fixes b/redland/raptor/raptor-1.4.18.patch.fixes
new file mode 100644
index 0000000..7b7c959
--- /dev/null
+++ b/redland/raptor/raptor-1.4.18.patch.fixes
@@ -0,0 +1,42 @@
+--- misc/raptor-1.4.18/src/raptor_abbrev.c	2008-06-15 09:34:06.000000000 +0200
++++ misc/build/raptor-1.4.18/src/raptor_abbrev.c	2011-05-18 18:58:35.440435467 +0200
+@@ -124,6 +124,7 @@
+         case RAPTOR_IDENTIFIER_TYPE_UNKNOWN: 
+         default:
+           RAPTOR_FREE(raptor_abbrev_node, node);
++          node = NULL;
+     }
+     
+   }
+--- misc/raptor-1.4.18/src/raptor_parse.c	2008-06-15 09:18:50.000000000 +0200
++++ misc/build/raptor-1.4.18/src/raptor_parse.c	2011-05-18 18:58:32.143702301 +0200
+@@ -1870,7 +1870,7 @@
+         ((char*)buffer)[FIRSTN]=c;
+     }
+ 
+-    if(i > MAX_PARSERS) {
++    if(i >= MAX_PARSERS) {
+       raptor_finish();
+       RAPTOR_FATAL2("Number of parsers greater than static buffer size %d\n",
+                     MAX_PARSERS);
+--- misc/raptor-1.4.18/src/raptor_rdfxml.c	2008-06-15 10:12:06.000000000 +0200
++++ misc/build/raptor-1.4.18/src/raptor_rdfxml.c	2011-05-18 18:58:30.031671100 +0200
+@@ -404,7 +404,7 @@
+ static const char *
+ raptor_rdfxml_element_content_type_as_string(raptor_rdfxml_element_content_type type) 
+ {
+-  if(type > RAPTOR_RDFXML_ELEMENT_CONTENT_TYPE_LAST)
++  if(type >= RAPTOR_RDFXML_ELEMENT_CONTENT_TYPE_LAST)
+     return "INVALID";
+   return rdf_content_type_info[type].name;
+ }
+--- misc/raptor-1.4.18/src/raptor_serialize_dot.c	2008-06-15 09:34:29.000000000 +0200
++++ misc/build/raptor-1.4.18/src/raptor_serialize_dot.c	2011-05-18 18:58:33.986920218 +0200
+@@ -266,6 +266,7 @@
+       case RAPTOR_IDENTIFIER_TYPE_UNKNOWN: 
+       default:
+         RAPTOR_FREE(raptor_dot_serializer_node, node);
++        node = NULL;
+     }
+     
+   }
commit 91d3cbe0801c609ae39087129bd926b1c0d32300
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:31:26 2012 +0200

    neon: fix some warnings

diff --git a/neon/makefile.mk b/neon/makefile.mk
index c92a849..bf5b302 100644
--- a/neon/makefile.mk
+++ b/neon/makefile.mk
@@ -50,7 +50,7 @@ NEON_NAME=neon-0.29.5
 
 TARFILE_NAME=$(NEON_NAME)
 TARFILE_MD5=ff369e69ef0f0143beb5626164e87ae2
-PATCH_FILES=neon.patch
+PATCH_FILES=neon.patch neon_ne_set_request_flag.patch
 
 .IF "$(GUI)"=="WNT"
     PATCH_FILES+=neon_exports_win.patch
diff --git a/neon/neon_ne_set_request_flag.patch b/neon/neon_ne_set_request_flag.patch
new file mode 100644
index 0000000..162c3bd
--- /dev/null
+++ b/neon/neon_ne_set_request_flag.patch
@@ -0,0 +1,11 @@
+--- misc/neon-0.29.5/src/ne_request.c	2010-09-28 13:57:26.000000000 +0200
++++ misc/build/neon-0.29.5/src/ne_request.c	2011-05-18 12:39:05.134445529 +0200
+@@ -529,7 +529,7 @@
+ 
+ void ne_set_request_flag(ne_request *req, ne_request_flag flag, int value)
+ {
+-    if (flag < NE_SESSFLAG_LAST) {
++    if (flag < NE_REQFLAG_LAST) {
+         req->flags[flag] = value;
+     }
+ }
commit aab05a9444088c1ade1688ab8ab12f588962e8cd
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:31:15 2012 +0200

    hunspell: fix warnings

diff --git a/hunspell/hunspell-1.3.2-overflow.patch b/hunspell/hunspell-1.3.2-overflow.patch
new file mode 100644
index 0000000..46d4c67
--- /dev/null
+++ b/hunspell/hunspell-1.3.2-overflow.patch
@@ -0,0 +1,91 @@
+--- misc/hunspell-1.3.2/src/hunspell/affixmgr.cxx	2010-02-27 12:59:53.000000000 +0100
++++ misc/build/hunspell-1.3.2/src/hunspell/affixmgr.cxx	2011-05-18 16:29:45.919141893 +0200
+@@ -6,6 +6,8 @@
+ #include <stdio.h>
+ #include <ctype.h>
+ 
++#include <limits>
++
+ #include "affixmgr.hxx"
+ #include "affentry.hxx"
+ #include "langnum.hxx"
+@@ -4000,7 +4002,10 @@
+              case 3: { 
+                        np++;
+                        numents = atoi(piece); 
+-                       if (numents == 0) {
++                       if ((numents <= 0) ||
++                           ((::std::numeric_limits<size_t>::max()
++                                / sizeof(struct affentry)) < numents))
++                       {
+                            char * err = pHMgr->encode_flag(aflag);
+                            if (err) {
+                                 HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n",
+--- misc/hunspell-1.3.2/src/tools/munch.c	2010-02-27 21:49:49.000000000 +0100
++++ misc/build/hunspell-1.3.2/src/tools/munch.c	2011-05-18 15:53:53.427072106 +0200
+@@ -4,6 +4,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -233,10 +233,19 @@
+                     case 1: { achar = *piece; break; }
+                     case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
+                     case 3: { numents = atoi(piece); 
+-                              ptr = malloc(numents * sizeof(struct affent));
+-                              ptr->achar = achar;
+-                              ptr->xpflg = ff;
+-	                      fprintf(stderr,"parsing %c entries %d\n",achar,numents);
++                              if ((numents < 0) ||
++                                  ((SIZE_MAX/sizeof(struct affent)) < numents))
++                              {
++                                 fprintf(stderr,
++                                     "Error: too many entries: %d\n", numents);
++                                 numents = 0;
++                              } else {
++                                 ptr = malloc(numents * sizeof(struct affent));
++                                 ptr->achar = achar;
++                                 ptr->xpflg = ff;
++                                 fprintf(stderr,"parsing %c entries %d\n",
++                                         achar,numents);
++                              }
+                               break;
+                             }
+ 		    default: break;
+--- misc/hunspell-1.3.2/src/tools/unmunch.c	2010-02-23 15:53:29.000000000 +0100
++++ misc/build/hunspell-1.3.2/src/tools/unmunch.c	2011-05-18 20:53:43.843599726 +0200
+@@ -6,6 +6,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -158,10 +159,19 @@
+                     case 1: { achar = *piece; break; }
+                     case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
+                     case 3: { numents = atoi(piece); 
+-                              ptr = malloc(numents * sizeof(struct affent));
+-                              ptr->achar = achar;
+-                              ptr->xpflg = ff;
+-	                      fprintf(stderr,"parsing %c entries %d\n",achar,numents);
++                              if ((numents < 0) ||
++                                  ((SIZE_MAX/sizeof(struct affent)) < numents))
++                              {
++                                 fprintf(stderr,
++                                     "Error: too many entries: %d\n", numents);
++                                 numents = 0;
++                              } else {
++                                 ptr = malloc(numents * sizeof(struct affent));
++                                 ptr->achar = achar;
++                                 ptr->xpflg = ff;
++                                 fprintf(stderr,"parsing %c entries %d\n",
++                                         achar,numents);
++                              }
+                               break;
+                             }
+ 		    default: break;
diff --git a/hunspell/makefile.mk b/hunspell/makefile.mk
index c4377a6..65ca45b 100644
--- a/hunspell/makefile.mk
+++ b/hunspell/makefile.mk
@@ -45,6 +45,7 @@ PATCH_FILES=\
     hunspell-static.patch \
     hunspell-wntconfig.patch \
     hunspell-solaris.patch \
+    hunspell-1.3.2-overflow.patch \
     hunspell-android.patch
 
 .IF "$(GUI)"=="UNX"
commit 6a94d7b5c924e3a8ef3ff0f68f54061c035a3cb0
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:31:08 2012 +0200

    basic, cui, extensions, filter, vcl: fix some warnings

diff --git a/basic/source/runtime/runtime.cxx b/basic/source/runtime/runtime.cxx
index f86e01f..27517b5 100644
--- a/basic/source/runtime/runtime.cxx
+++ b/basic/source/runtime/runtime.cxx
@@ -702,17 +702,17 @@ sal_Bool SbiRuntime::Step()
 
         SbiOpcode eOp = (SbiOpcode ) ( *pCode++ );
         sal_uInt32 nOp1, nOp2;
-        if( eOp <= SbOP0_END )
+        if (eOp < SbOP0_END)
         {
             (this->*( aStep0[ eOp ] ) )();
         }
-        else if( eOp >= SbOP1_START && eOp <= SbOP1_END )
+        else if (eOp >= SbOP1_START && eOp < SbOP1_END)
         {
             nOp1 = *pCode++; nOp1 |= *pCode++ << 8; nOp1 |= *pCode++ << 16; nOp1 |= *pCode++ << 24;
 
             (this->*( aStep1[ eOp - SbOP1_START ] ) )( nOp1 );
         }
-        else if( eOp >= SbOP2_START && eOp <= SbOP2_END )
+        else if (eOp >= SbOP2_START && eOp < SbOP2_END)
         {
             nOp1 = *pCode++; nOp1 |= *pCode++ << 8; nOp1 |= *pCode++ << 16; nOp1 |= *pCode++ << 24;
             nOp2 = *pCode++; nOp2 |= *pCode++ << 8; nOp2 |= *pCode++ << 16; nOp2 |= *pCode++ << 24;
diff --git a/cui/source/tabpages/numpages.cxx b/cui/source/tabpages/numpages.cxx
index 6008b63..76125b2 100644
--- a/cui/source/tabpages/numpages.cxx
+++ b/cui/source/tabpages/numpages.cxx
@@ -2840,6 +2840,12 @@ void SvxNumPositionTabPage::InitControls()
         nMask <<= 1;
 
     }
+    if (SVX_MAX_NUM <= nLvl)
+    {
+        OSL_ENSURE(false, "cannot happen.");
+        return;
+    }
+
     if(bSameDistBorderNum)
     {
         long nDistBorderNum;
diff --git a/extensions/source/scanner/sane.cxx b/extensions/source/scanner/sane.cxx
index 3ace08b..8159b1a 100644
--- a/extensions/source/scanner/sane.cxx
+++ b/extensions/source/scanner/sane.cxx
@@ -1002,7 +1002,7 @@ String Sane::GetOptionUnitName( int n )
     String aText;
     SANE_Unit nUnit = mppOptions[n]->unit;
     size_t nUnitAsSize = (size_t)nUnit;
-    if( nUnitAsSize > SAL_N_ELEMENTS( ppUnits ) )
+    if (nUnitAsSize >= SAL_N_ELEMENTS( ppUnits ))
         aText = rtl::OUString("[unknown units]");
     else
         aText = String( ppUnits[ nUnit ], osl_getThreadTextEncoding() );
diff --git a/filter/source/graphicfilter/icgm/chart.cxx b/filter/source/graphicfilter/icgm/chart.cxx
index 4651a04..b21ae89 100644
--- a/filter/source/graphicfilter/icgm/chart.cxx
+++ b/filter/source/graphicfilter/icgm/chart.cxx
@@ -69,7 +69,6 @@ void CGMChart::DeleteTextEntry( TextEntry* pTextEntry )
             pTAttr = pTAttr->pNextAttribute;
             delete pTempTAttr;
         }
-        delete pTextEntry;
         ::std::vector< TextEntry* >::iterator it;
         for ( it = maTextEntryList.begin(); it != maTextEntryList.end(); ++it )
         {
@@ -79,6 +78,7 @@ void CGMChart::DeleteTextEntry( TextEntry* pTextEntry )
                 break;
             }
         }
+        delete pTextEntry;
     }
 };
 
diff --git a/vcl/source/gdi/metric.cxx b/vcl/source/gdi/metric.cxx
index a523b41..bb9673c 100644
--- a/vcl/source/gdi/metric.cxx
+++ b/vcl/source/gdi/metric.cxx
@@ -714,7 +714,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
             while( cMin < cEnd )
             {
                 int j = 0;
-                for(; (cMin < cEnd) && (j < NINSIZE); ++cMin )
+                for (; (cMin < cEnd) && (j < (NINSIZE-1)); ++cMin)
                 {
                     if( cMin >= 0x0100 )
                         cCharsInp[ j++ ] = static_cast<sal_Char>(cMin >> 8);
diff --git a/vcl/source/gdi/outmap.cxx b/vcl/source/gdi/outmap.cxx
index 42e96c2..284f473 100644
--- a/vcl/source/gdi/outmap.cxx
+++ b/vcl/source/gdi/outmap.cxx
@@ -61,9 +61,10 @@ DBG_NAMEEX( Region )
 
 // =======================================================================
 
-static long aImplNumeratorAry[MAP_PIXEL+1] =
+static int const s_ImplArySize = MAP_PIXEL+1;
+static long aImplNumeratorAry[s_ImplArySize] =
     {    1,   1,   5,  50,    1,   1,  1, 1,  1,    1, 1 };
-static long aImplDenominatorAry[MAP_PIXEL+1] =
+static long aImplDenominatorAry[s_ImplArySize] =
      { 2540, 254, 127, 127, 1000, 100, 10, 1, 72, 1440, 1 };
 
 // -----------------------------------------------------------------------
@@ -1660,9 +1661,9 @@ basegfx::B2DPolyPolygon OutputDevice::PixelToLogic( const basegfx::B2DPolyPolygo
 #define ENTER3( eUnitSource, eUnitDest )                                \
     long nNumerator      = 1;       \
     long nDenominator    = 1;       \
-    DBG_ASSERT( eUnitSource <= MAP_PIXEL, "nonpermitted source map unit");  \
-    DBG_ASSERT( eUnitDest <= MAP_PIXEL, "nonpermitted destination map unit");   \
-    if( (eUnitSource <= MAP_PIXEL) && (eUnitDest <= MAP_PIXEL) )    \
+	DBG_ASSERT( eUnitSource < s_ImplArySize, "Invalid source map unit");	\
+	DBG_ASSERT( eUnitDest < s_ImplArySize, "Invalid destination map unit");	\
+	if( (eUnitSource < s_ImplArySize) && (eUnitDest < s_ImplArySize) )	\
     {   \
         nNumerator   = aImplNumeratorAry[eUnitSource] *             \
                            aImplDenominatorAry[eUnitDest];              \
commit 89f08dce89adfddd3fb8e00b7a7a9c5da2a4943e
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:31:03 2012 +0200

    sd, sfx2, writerfilter, xmloff: fix some warnings

diff --git a/sd/source/core/sdpage.cxx b/sd/source/core/sdpage.cxx
index 5f5d5cc..0432f54 100644
--- a/sd/source/core/sdpage.cxx
+++ b/sd/source/core/sdpage.cxx
@@ -1384,7 +1384,7 @@ void findAutoLayoutShapesImpl( SdPage& rPage, const LayoutDescriptor& rDescripto
     bool bMissing = false;
 
     // for each entry in the layoutdescriptor, arrange a presentation shape
-    for( i = 0; (i < PRESOBJ_MAX) && (rDescriptor.meKind[i] != PRESOBJ_NONE); i++ )
+    for (i = 0; (i < MAX_PRESOBJS) && (rDescriptor.meKind[i] != PRESOBJ_NONE); i++)
     {
         PresObjKind eKind = rDescriptor.meKind[i];
         SdrObject* pObj = 0;
@@ -1406,7 +1406,7 @@ void findAutoLayoutShapesImpl( SdPage& rPage, const LayoutDescriptor& rDescripto
     if( bMissing && bInit )
     {
         // for each entry in the layoutdescriptor, look for an alternative shape
-        for( i = 0; (i < PRESOBJ_MAX) && (rDescriptor.meKind[i] != PRESOBJ_NONE); i++ )
+        for (i = 0; (i < MAX_PRESOBJS) && (rDescriptor.meKind[i] != PRESOBJ_NONE); i++)
         {
             if( rShapes[i] )
                 continue;
@@ -1566,7 +1566,7 @@ void SdPage::SetAutoLayout(AutoLayout eLayout, sal_Bool bInit, sal_Bool bCreate
     int i;
 
     // for each entry in the layoutdescriptor, arrange a presentation shape
-    for( i = 0; (i < PRESOBJ_MAX) && (aDescriptor.meKind[i] != PRESOBJ_NONE); i++ )
+    for (i = 0; (i < MAX_PRESOBJS) && (aDescriptor.meKind[i] != PRESOBJ_NONE); i++)
     {
         PresObjKind eKind = aDescriptor.meKind[i];
         SdrObject* pObj = InsertAutoLayoutShape( aLayoutShapes[i], eKind, aDescriptor.mbVertical[i], aRectangle[i], bInit );
diff --git a/sd/source/filter/ppt/pptanimations.hxx b/sd/source/filter/ppt/pptanimations.hxx
index 972eea4..92054bd 100644
--- a/sd/source/filter/ppt/pptanimations.hxx
+++ b/sd/source/filter/ppt/pptanimations.hxx
@@ -112,7 +112,7 @@ namespace ppt
 #define DFF_ANIM_GROUP_ID                   19
 #define DFF_ANIM_NODE_TYPE                  20
 #define DFF_ANIM_VOLUME                     22
-#define DFF_ANIM_PROPERTY_ID_COUNT          DFF_ANIM_VOLUME
+#define DFF_ANIM_PROPERTY_ID_COUNT			(DFF_ANIM_VOLUME + 1)
 
 // property types
 #define DFF_ANIM_PROP_TYPE_BYTE             0
diff --git a/writerfilter/source/ooxml/OOXMLFastTokenHandler.cxx b/writerfilter/source/ooxml/OOXMLFastTokenHandler.cxx
index 53338c8..3dbf308 100644
--- a/writerfilter/source/ooxml/OOXMLFastTokenHandler.cxx
+++ b/writerfilter/source/ooxml/OOXMLFastTokenHandler.cxx
@@ -63,6 +63,8 @@ OUString SAL_CALL OOXMLFastTokenHandler::getIdentifier(::sal_Int32 Token)
 {
     OUString sResult;
 
+#if 0
+    //FIXME this is broken: tokenmap::wordlist is not indexed by Token!
     if ( Token >= 0 || Token < OOXML_FAST_TOKENS_END )
     {
         static OUString aTokens[OOXML_FAST_TOKENS_END];
@@ -71,6 +73,9 @@ OUString SAL_CALL OOXMLFastTokenHandler::getIdentifier(::sal_Int32 Token)
             aTokens[Token] = OUString::createFromAscii
                 (tokenmap::wordlist[Token].name);
     }
+#else
+    (void) Token;
+#endif
 
     return sResult;
 }
@@ -78,10 +83,17 @@ OUString SAL_CALL OOXMLFastTokenHandler::getIdentifier(::sal_Int32 Token)
 css::uno::Sequence< ::sal_Int8 > SAL_CALL OOXMLFastTokenHandler::getUTF8Identifier(::sal_Int32 Token)
     throw (css::uno::RuntimeException)
 {
+#if 0
     if ( Token < 0  || Token >= OOXML_FAST_TOKENS_END )
+#endif
         return css::uno::Sequence< ::sal_Int8 >();
 
+#if 0
+    //FIXME this is broken: tokenmap::wordlist is not indexed by Token!
     return css::uno::Sequence< ::sal_Int8 >(reinterpret_cast< const sal_Int8 *>(tokenmap::wordlist[Token].name), strlen(tokenmap::wordlist[Token].name));
+#else
+    (void) Token;
+#endif
 }
 
 ::sal_Int32 SAL_CALL OOXMLFastTokenHandler::getTokenFromUTF8
diff --git a/xmloff/source/style/weighhdl.cxx b/xmloff/source/style/weighhdl.cxx
index 2befaa8..66fd369 100644
--- a/xmloff/source/style/weighhdl.cxx
+++ b/xmloff/source/style/weighhdl.cxx
@@ -109,7 +109,7 @@ sal_Bool XMLFontWeightPropHdl::importXML( const OUString& rStrImpValue, Any& rVa
     {
         bRet = sal_False;
         static int nCount = sizeof(aFontWeightMap)/sizeof(FontWeightMapper);
-        for( int i=0; i<nCount; i++ )
+        for (int i = 0; i < (nCount-1); ++i)
         {
             if( (nWeight >= aFontWeightMap[i].nValue) && (nWeight <= aFontWeightMap[i+1].nValue) )
             {
commit 4c3501cb61147304252e2ac281d3e466b6af93d9
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:30:57 2012 +0200

    sw: fix some warnings

diff --git a/sw/source/core/doc/number.cxx b/sw/source/core/doc/number.cxx
index c43cb61..5a97789 100644
--- a/sw/source/core/doc/number.cxx
+++ b/sw/source/core/doc/number.cxx
@@ -1126,9 +1126,9 @@ namespace numfunc
             }
             inline sal_Unicode GetChar( sal_uInt8 p_nListLevel ) const
             {
-                if ( p_nListLevel > MAXLEVEL )
+                if (p_nListLevel >= MAXLEVEL)
                 {
-                    p_nListLevel = MAXLEVEL;
+                    p_nListLevel = MAXLEVEL - 1;
                 }
 
                 return mnLevelChars[p_nListLevel];
diff --git a/sw/source/filter/ww1/w1filter.cxx b/sw/source/filter/ww1/w1filter.cxx
index b62e784..14e978c 100644
--- a/sw/source/filter/ww1/w1filter.cxx
+++ b/sw/source/filter/ww1/w1filter.cxx
@@ -1377,7 +1377,7 @@ SvxFontItem Ww1Fonts::GetFont(sal_uInt16 nFCode)
                 FAMILY_DONTKNOW, FAMILY_ROMAN, FAMILY_SWISS, FAMILY_MODERN,
                 FAMILY_SCRIPT, FAMILY_DECORATIVE
             };
-            if (b < sizeof(eFamilyA))
+            if (b < (sizeof(eFamilyA)/sizeof(eFamilyA[0])))
                 eFamily = eFamilyA[b];
         }
         else
diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx
index 7a87b29..26b1483 100644
--- a/sw/source/filter/ww8/ww8graf.cxx
+++ b/sw/source/filter/ww8/ww8graf.cxx
@@ -268,7 +268,7 @@ static void SetFill( SfxItemSet& rSet, WW8_DP_FILL& rFill )
     else
     {
         rSet.Put(XFillStyleItem(XFILL_SOLID));  // necessary for textbox
-        if (nPat <= 1 || nPat > sizeof(nPatA))
+        if (nPat <= 1 || ((sizeof(nPatA)/sizeof(nPatA[0])) <= nPat))
         {
             // Solid Background or unknown
             rSet.Put(XFillColorItem(aEmptyStr, WW8TransCol(rFill.dlpcBg)));
diff --git a/sw/source/filter/ww8/ww8par5.cxx b/sw/source/filter/ww8/ww8par5.cxx
index 412fb14..67345a9 100644
--- a/sw/source/filter/ww8/ww8par5.cxx
+++ b/sw/source/filter/ww8/ww8par5.cxx
@@ -1025,10 +1025,16 @@ long SwWW8ImplReader::Read_Field(WW8PLCFManResult* pRes)
     if (bNested)
         return 0;
 
-    sal_uInt16 n = ( aF.nId <= eMax ) ? aF.nId : static_cast< sal_uInt16 >(eMax); // alle > 91 werden 92
+    sal_uInt16 n = (aF.nId <= eMax) ? aF.nId : static_cast<sal_uInt16>(eMax);
     sal_uInt16 nI = n / 32;                     // # des sal_uInt32
     sal_uLong nMask = 1 << ( n % 32 );          // Maske fuer Bits
 
+    if ((sizeof(nFieldTagAlways)/sizeof(nFieldTagAlways[0])) <= nI)
+    {   // if indexes larger than 95 are needed, then a new configuration
+        // item has to be added, and nFieldTagAlways/nFieldTagBad expanded!
+        return aF.nLen;
+    }
+
     if( nFieldTagAlways[nI] & nMask )       // Flag: Tag it
         return Read_F_Tag( &aF );           // Resultat nicht als Text
 
diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx
index c86300a..3b6503b 100644
--- a/sw/source/filter/ww8/ww8par6.cxx
+++ b/sw/source/filter/ww8/ww8par6.cxx
@@ -3469,7 +3469,7 @@ bool SwWW8ImplReader::GetFontParams( sal_uInt16 nFCode, FontFamily& reFamily,
             break;
         }
     }
-    if( b < sizeof( eFamilyA ) )
+    if (b < (sizeof(eFamilyA)/sizeof(eFamilyA[0])))
         reFamily = eFamilyA[b];
     else
         reFamily = FAMILY_DONTKNOW;
diff --git a/sw/source/ui/app/docsh.cxx b/sw/source/ui/app/docsh.cxx
index ec2bcca..9dd9aad 100644
--- a/sw/source/ui/app/docsh.cxx
+++ b/sw/source/ui/app/docsh.cxx
@@ -1229,7 +1229,7 @@ uno::Reference< frame::XController >
     return aRet;
 }
 
-static const char* pEventNames[] =
+static const char* s_EventNames[] =
 {
     "OnPageCountChange",
     "OnMailMerge",
@@ -1238,6 +1238,7 @@ static const char* pEventNames[] =
     "OnFieldMergeFinished",
     "OnLayoutFinished"
 };
+static sal_Int32 const s_nEvents(sizeof(s_EventNames)/sizeof(s_EventNames[0]));
 
 Sequence< OUString >    SwDocShell::GetEventNames()
 {
@@ -1255,12 +1256,12 @@ Sequence< OUString >    SwDocShell::GetEventNames()
     return aRet;
 }
 
-static sal_Int32 nEvents=13;
-
 rtl::OUString SwDocShell::GetEventName( sal_Int32 nIndex )
 {
-    if ( nIndex<nEvents )
-        return ::rtl::OUString::createFromAscii(pEventNames[nIndex]);
+    if (nIndex < s_nEvents)
+    {
+        return ::rtl::OUString::createFromAscii(s_EventNames[nIndex]);
+    }
     return rtl::OUString();
 }
 
diff --git a/sw/source/ui/dialog/ascfldlg.cxx b/sw/source/ui/dialog/ascfldlg.cxx
index 8c9fdcb..595375a 100644
--- a/sw/source/ui/dialog/ascfldlg.cxx
+++ b/sw/source/ui/dialog/ascfldlg.cxx
@@ -115,8 +115,6 @@ SwAsciiFilterDlg::SwAsciiFilterDlg( Window* pParent, SwDocShell& rDocSh,
         {
             aBuffer[ nBytesRead ] = '0';
             aBuffer[ nBytesRead+1 ] = '0';
-            if( 0 != ( nBytesRead & 0x00000001 ) )
-                aBuffer[ nBytesRead + 2 ] = '0';
         }
 
         sal_Bool bCR = sal_False, bLF = sal_False, bNullChar = sal_False;
diff --git a/sw/source/ui/misc/num.cxx b/sw/source/ui/misc/num.cxx
index 2d20595..ada66a5 100644
--- a/sw/source/ui/misc/num.cxx
+++ b/sw/source/ui/misc/num.cxx
@@ -248,6 +248,11 @@ void SwNumPositionTabPage::InitControls()
         nMask <<= 1;
 
     }
+    if (MAXLEVEL <= nLvl)
+    {
+        OSL_ENSURE(false, "cannot happen.");
+        return;
+    }
     if(bSameDistBorderNum)
     {
         long nDistBorderNum;
diff --git a/sw/source/ui/table/tabledlg.cxx b/sw/source/ui/table/tabledlg.cxx
index 411337c..2ce7528 100644
--- a/sw/source/ui/table/tabledlg.cxx
+++ b/sw/source/ui/table/tabledlg.cxx
@@ -1009,6 +1009,12 @@ void   SwTableColumnPage::ModifyHdl( PercentField* pEdit )
             if(pEdit == pFieldArr[i])
                 break;
 
+        if (MET_FIELDS <= i)
+        {
+            OSL_ENSURE(false, "cannot happen.");
+            return;
+        }
+
         SetVisibleWidth(aValueTbl[i], static_cast< SwTwips >(pEdit->DenormalizePercent(pEdit->GetValue( FUNIT_TWIP ))) );
         nAktPos = aValueTbl[i];
 
diff --git a/sw/source/ui/utlui/unotools.cxx b/sw/source/ui/utlui/unotools.cxx
index e3438e6..c5dec25 100644
--- a/sw/source/ui/utlui/unotools.cxx
+++ b/sw/source/ui/utlui/unotools.cxx
@@ -408,7 +408,8 @@ void SwOneExampleFrame::CreatePopup(const Point& rPt)
         sal_Int16 nZoom = 0;
         aZoom >>= nZoom;
 
-        for(sal_uInt16 i = 0; i < 5; i++ )
+        for (sal_uInt16 i = 0;
+                i < (sizeof(nZoomValues)/sizeof(nZoomValues[0])); ++i)
         {
             String sTemp;
             sTemp = String::CreateFromInt32(nZoomValues[i]);
@@ -427,7 +428,8 @@ void SwOneExampleFrame::CreatePopup(const Point& rPt)
 IMPL_LINK(SwOneExampleFrame, PopupHdl, Menu*, pMenu )
 {
     sal_uInt16 nId = pMenu->GetCurItemId();
-    if( nId > ITEM_ZOOM && nId < ITEM_ZOOM + 100 )
+    if ((nId > ITEM_ZOOM) &&
+        (nId <= (ITEM_ZOOM + (sizeof(nZoomValues)/sizeof(nZoomValues[0])))))
     {
         sal_Int16 nZoom = nZoomValues[nId - ITEM_ZOOM - 1];
         uno::Reference< view::XViewSettingsSupplier >  xSettings(_xController, uno::UNO_QUERY);
commit f6f265313f055f3d767060509cbf05442c1bb548
Author: Michael Stahl <mst at openoffice.org>
Date:   Fri Jul 27 17:30:49 2012 +0200

    some tweaks in RTF filter

diff --git a/editeng/source/rtf/svxrtf.cxx b/editeng/source/rtf/svxrtf.cxx
index 48e3efb..2f727e3 100644
--- a/editeng/source/rtf/svxrtf.cxx
+++ b/editeng/source/rtf/svxrtf.cxx
@@ -28,6 +28,7 @@
 
 
 #include <ctype.h>
+#include <tools/diagnose_ex.h>
 #include <rtl/tencinfo.h>
 #include <svl/itemiter.hxx>
 #include <svl/whiter.hxx>
@@ -1252,7 +1253,8 @@ bool SvxRTFParser::UncompressableStackEntry(const SvxRTFItemStackType &) const
 
 void SvxRTFItemStackType::Compress( const SvxRTFParser& rParser )
 {
-    DBG_ASSERT( pChildList, "There is no child list" );
+    ENSURE_OR_RETURN_VOID(pChildList, "Compress: no ChildList" );
+    ENSURE_OR_RETURN_VOID(!pChildList->empty(), "Compress: ChildList empty");
 
     sal_uInt16 n;
     SvxRTFItemStackType* pTmp = &(*pChildList)[0];
diff --git a/sw/source/core/doc/docnum.cxx b/sw/source/core/doc/docnum.cxx
index fd6eb92..a0ff168 100644
--- a/sw/source/core/doc/docnum.cxx
+++ b/sw/source/core/doc/docnum.cxx
@@ -89,6 +89,9 @@ namespace {
     }
 }
 
+#include <stdlib.h>
+
+
 inline sal_uInt8 GetUpperLvlChg( sal_uInt8 nCurLvl, sal_uInt8 nLevel, sal_uInt16 nMask )
 {
     if( 1 < nLevel )
@@ -2164,6 +2167,11 @@ SwNumRule* SwDoc::FindNumRulePtr( const String& rName ) const
 
 void SwDoc::AddNumRule(SwNumRule * pRule)
 {
+    if ((SAL_MAX_UINT16 - 1) <= pNumRuleTbl->size())
+    {
+        OSL_ENSURE(false, "SwDoc::AddNumRule: table full.");
+        abort(); // this should never happen on real documents
+    }
     pNumRuleTbl->push_back(pRule);
     maNumRuleMap[pRule->GetName()] = pRule;
     pRule->SetNumRuleMap(&maNumRuleMap);
diff --git a/sw/source/filter/rtf/rtffld.cxx b/sw/source/filter/rtf/rtffld.cxx
index fb96136..b53f13a 100644
--- a/sw/source/filter/rtf/rtffld.cxx
+++ b/sw/source/filter/rtf/rtffld.cxx
@@ -155,7 +155,10 @@ static RTF_FLD_TYPES _WhichFld( String& rName, String& rNext )
         {
             rName = rName.Copy( nFndPos, static_cast< xub_StrLen >(nLen) );
             nFndPos += nTokenStt + static_cast< xub_StrLen >(nLen);
-            while( rNext.GetChar( nFndPos ) == ' ' )    ++nFndPos;
+            while ((nFndPos < rNext.Len()) && (rNext.GetChar(nFndPos) == ' '))
+            {
+                ++nFndPos;
+            }
             rNext.Erase( 0, nFndPos );
             rNext = comphelper::string::stripEnd(rNext, ' ');
             return aFldNmArr[n].eFldType;
@@ -387,8 +390,10 @@ int SwRTFParser::MakeFieldInst( String& rFieldStr )
     {
         xub_StrLen nStartDel = nPos;
         nPos += 2;
-        while (aSaveStr.GetChar(nPos) == ' ')
+        while ((nPos < aSaveStr.Len()) && (aSaveStr.GetChar(nPos) == ' '))
+        {
             ++nPos;
+        }
         if (aSaveStr.EqualsIgnoreCaseAscii("MERGEFORMAT", nPos, 11))
         {
             xub_StrLen nNoDel = (nPos + 11 ) - nStartDel;
@@ -430,7 +435,9 @@ int SwRTFParser::MakeFieldInst( String& rFieldStr )
             if( STRING_NOTFOUND != ( nPos = aSaveStr.SearchAscii( "\\*" )) )
             {
                 nPos += 2;
-                while( aSaveStr.GetChar(nPos) == ' ' ) nPos++;
+                while ((nPos < aSaveStr.Len()) &&
+                       (aSaveStr.GetChar(nPos) == ' '))
+                { nPos++; }
                 aSaveStr.Erase( 0, nPos );
 
                 // steht jetzt geanu auf dem Format-Namen
@@ -449,7 +456,9 @@ int SwRTFParser::MakeFieldInst( String& rFieldStr )
             if( STRING_NOTFOUND != ( nPos = aSaveStr.SearchAscii( "\\*" )) )
             {
                 nPos += 2;
-                while( aSaveStr.GetChar(nPos) == ' ' ) nPos++;
+                while ((nPos < aSaveStr.Len()) &&
+                       (aSaveStr.GetChar(nPos) == ' '))
+                { nPos++; }
                 aSaveStr.Erase( 0, nPos );
 
                 // steht jetzt geanu auf dem Format-Namen
@@ -529,7 +538,7 @@ int SwRTFParser::MakeFieldInst( String& rFieldStr )
             // werden:
             //  \\data -> Datenbank-Name als Field
             //  DATA -> Datenbank-Info
-            sal_Bool bField = rFieldStr.GetChar( 0 ) != 'D';
+            bool const bField = rFieldStr.Len() && rFieldStr.GetChar(0) != 'D';
 
             // nur der Name interressiert
             if( STRING_NOTFOUND != (nPos = aSaveStr.Search( '.' )) )
diff --git a/sw/source/filter/rtf/rtffly.cxx b/sw/source/filter/rtf/rtffly.cxx
index e31d4d3..7876c16 100644
--- a/sw/source/filter/rtf/rtffly.cxx
+++ b/sw/source/filter/rtf/rtffly.cxx
@@ -274,7 +274,8 @@ void SwRTFParser::SetFlysInDoc()
 
         // liegt Ende und Start vom Naechsten im gleichen Node, dann muss
         // gesplittet werden
-        if( n + 1 < (sal_uInt16)aFlyArr.size() && pFlySave->nEndCnt &&
+        if (((static_cast<size_t>(n) + 1) < aFlyArr.size()) &&
+            pFlySave->nEndCnt &&
             pFlySave->nEndNd == aFlyArr[ n + 1 ]->nSttNd )
         {
             SwCntntNode *const pCNd = pFlySave->nEndNd.GetNode().GetCntntNode();
@@ -1226,6 +1227,10 @@ void SwRTFParser::InsPicture( const String& rGrfNm, const Graphic* pGrf,
     // #i83368# - Assure that graphic node is enclosed by fly frame node.
     if ( bReadSwFly && !mbReadCellWhileReadSwFly )
     {
+        OSL_ENSURE(!aFlyArr.empty(),
+            "SwRTFParser::InsPicture: fly array empty.");
+        if (!aFlyArr.empty())
+        {
         // erzeuge nur einen normalen GrafikNode und ersetze diesen gegen
         // den vorhandenen Textnode
         SwNodeIndex& rIdx = pPam->GetPoint()->nNode;
@@ -1246,6 +1251,7 @@ void SwRTFParser::InsPicture( const String& rGrfNm, const Graphic* pGrf,
             if( pFlySave->nEndNd == rIdx )
                 pFlySave->nEndNd = rIdx.GetIndex() - 1;
         }
+        }
     }
     else
     {
diff --git a/sw/source/filter/rtf/rtftbl.cxx b/sw/source/filter/rtf/rtftbl.cxx
index 9fe764d..884878b 100644
--- a/sw/source/filter/rtf/rtftbl.cxx
+++ b/sw/source/filter/rtf/rtftbl.cxx
@@ -194,6 +194,11 @@ void SwRTFParser::ReadTable( int nToken )
 
     sal_Int16 eVerOrient = text::VertOrientation::NONE;
     long nLineHeight = 0;
+    if (aMergeBoxes.empty()) // can this actually happen?
+    {
+        OSL_ASSERT(false);
+        aMergeBoxes.push_back(sal_False);
+    }
     SwBoxFrmFmts aBoxFmts;
     SwTableBoxFmt* pBoxFmt = pDoc->MakeTableBoxFmt();
     SvxFrameDirection eDir = FRMDIR_HORI_LEFT_TOP;
@@ -283,8 +288,11 @@ void SwRTFParser::ReadTable( int nToken )
                         {
                             --m_nCurrentBox;
                         }
-                        pFmt = static_cast<SwTableBoxFmt*>(
-                            pLine->GetTabBoxes()[ m_nCurrentBox ]->GetFrmFmt());
+                        if (m_nCurrentBox < pLine->GetTabBoxes().size())
+                        {
+                            pFmt = static_cast<SwTableBoxFmt*>(
+                              pLine->GetTabBoxes()[m_nCurrentBox]->GetFrmFmt());
+                        }
                     }
                     else
                         pFmt = aBoxFmts.back();
diff --git a/sw/source/filter/rtf/swparrtf.cxx b/sw/source/filter/rtf/swparrtf.cxx
index db71783..35ad32b 100644
--- a/sw/source/filter/rtf/swparrtf.cxx
+++ b/sw/source/filter/rtf/swparrtf.cxx
@@ -593,7 +593,9 @@ bool rtfSections::SetCols(SwFrmFmt &rFmt, const rtfSection &rSection,
     {
         aCol._SetOrtho(false);
         sal_uInt16 nWishWidth = 0, nHalfPrev = 0;
-        for(sal_uInt16 n=0, i=0; n < rSection.maPageInfo.maColumns.size() && i < nCols; n += 2, ++i )
+        for (sal_uInt16 n=0, i=0;
+             (static_cast<size_t>(n)+1) < rSection.maPageInfo.maColumns.size() && i < nCols;
+             n += 2, ++i)
         {
             SwColumn* pCol = &aCol.GetColumns()[ i ];
             pCol->SetLeft( nHalfPrev );
@@ -2746,7 +2748,7 @@ sal_Bool lcl_SetFmtCol( SwFmt& rFmt, sal_uInt16 nCols, sal_uInt16 nColSpace,
         {
             aCol._SetOrtho( sal_False );
             sal_uInt16 nWishWidth = 0, nHalfPrev = 0;
-            for( sal_uInt16 n = 0, i = 0; n < rColumns.size(); n += 2, ++i )
+            for (sal_uInt16 n = 0, i = 0; static_cast<size_t>(n+1) < rColumns.size(); n += 2, ++i)
             {
                 SwColumn* pCol = &aCol.GetColumns()[ i ];
                 pCol->SetLeft( nHalfPrev );
commit 10dc090b31776f21a09e32dd409348e2ddb00cc5
Author: Mikhail Voytenko <mav at openoffice.org>
Date:   Fri Jul 27 17:30:37 2012 +0200

    sot: prevent some null pointer crashes

diff --git a/sot/source/sdstor/stg.cxx b/sot/source/sdstor/stg.cxx
index d2c66aa..0dff1f4 100644
--- a/sot/source/sdstor/stg.cxx
+++ b/sot/source/sdstor/stg.cxx
@@ -91,7 +91,8 @@ const SvStream* OLEStorageBase::GetSvStream_Impl() const
 OLEStorageBase::OLEStorageBase( StgIo* p, StgDirEntry* pe, StreamMode& nMode )
     : nStreamMode( nMode ), pIo( p ), pEntry( pe )
 {
-    p->IncRef();
+    if ( p )
+        p->IncRef();
     if( pe )
         pe->nRefCnt++;
 }
@@ -108,21 +109,28 @@ OLEStorageBase::~OLEStorageBase()
             else
                 pEntry->Close();
         }
+
+        pEntry = NULL;
     }
 
 
-    if( !pIo->DecRef() )
+	if( pIo && !pIo->DecRef() )
+    {
         delete pIo;
+        pIo = NULL;
+    }
 }
 
 // Validate the instance for I/O
 
 sal_Bool OLEStorageBase::Validate_Impl( sal_Bool bWrite ) const
 {
-    if( pEntry
+    if( pIo
+        && pIo->pTOC
+        && pEntry
         && !pEntry->bInvalid
         &&  ( !bWrite || !pEntry->bDirect || ( nStreamMode & STREAM_WRITE ) ) )
-        return sal_True;
+            return sal_True;
     return sal_False;
 }
 
@@ -161,7 +169,7 @@ StorageStream::StorageStream( StgIo* p, StgDirEntry* q, StreamMode m )
              : OLEStorageBase( p, q, m_nMode ), nPos( 0L )
 {
     // The dir entry may be 0; this means that the stream is invalid.
-    if( q )
+    if( q && p )
     {
         if( q->nRefCnt == 1 )
         {
@@ -269,14 +277,21 @@ sal_Bool StorageStream::Commit()
 
 sal_Bool StorageStream::Revert()
 {
-    pEntry->Revert();
-    pIo->MoveError( *this );
-    return Good();
+    sal_Bool bResult = sal_False;
+
+    if ( Validate() )
+    {
+        pEntry->Revert();
+        pIo->MoveError( *this );
+        bResult = Good();
+    }
+
+    return bResult;
 }
 
 sal_Bool StorageStream::CopyTo( BaseStorageStream* pDest )
 {
-    if( !Validate() || !pDest->Validate( sal_True ) || Equals( *pDest ) )
+    if( !Validate() || !pDest || !pDest->Validate( sal_True ) || Equals( *pDest ) )
         return sal_False;
     pEntry->Copy( *pDest );
     pDest->Commit();
@@ -328,14 +343,20 @@ sal_Bool Storage::IsStorageFile( const String & rFileName )
 
 sal_Bool Storage::IsStorageFile( SvStream* pStream )
 {
-    StgHeader aHdr;
-    sal_uLong nPos = pStream->Tell();
-    sal_Bool bRet = ( aHdr.Load( *pStream ) && aHdr.Check() );
+    sal_Bool bRet = sal_False;
+
+    if ( pStream )
+    {
+        StgHeader aHdr;
+        sal_uLong nPos = pStream->Tell();
+        bRet = ( aHdr.Load( *pStream ) && aHdr.Check() );
+
+        // It's not a stream error if it is too small for a OLE storage header
+        if ( pStream->GetErrorCode() == ERRCODE_IO_CANTSEEK )
+            pStream->ResetError();
+        pStream->Seek( nPos );
+    }
 
-    // It's not a stream error if it is too small for a OLE storage header
-    if ( pStream->GetErrorCode() == ERRCODE_IO_CANTSEEK )
-        pStream->ResetError();
-    pStream->Seek( nPos );
     return bRet;
 }
 
@@ -450,7 +471,9 @@ void Storage::Init( sal_Bool bCreate )
     pEntry = NULL;
     sal_Bool bHdrLoaded = sal_False;
     bIsRoot = sal_True;
-    if( pIo->Good() )
+
+    OSL_ENSURE( pIo, "The pointer may not be empty at this point!" );
+	if( pIo->Good() && pIo->GetStrm() )
     {
         sal_uLong nSize = pIo->GetStrm()->Seek( STREAM_SEEK_TO_END );
         pIo->GetStrm()->Seek( 0L );
@@ -471,7 +494,7 @@ void Storage::Init( sal_Bool bCreate )
     // the file is empty
     if( !bHdrLoaded )
         pIo->Init();
-    if( pIo->Good() )
+    if( pIo->Good() && pIo->pTOC )
     {
         pEntry = pIo->pTOC->GetRoot();
         pEntry->nRefCnt++;
@@ -526,7 +549,7 @@ const String& Storage::GetName() const
 
 void Storage::FillInfoList( SvStorageInfoList* pList ) const
 {
-    if( Validate() )
+	if( Validate() && pList )
     {
         StgIterator aIter( *pEntry );
         StgDirEntry* p = aIter.First();
@@ -709,21 +732,24 @@ sal_Bool Storage::CopyTo( const String& rElem, BaseStorage* pDest, const String&
             BaseStorage* p1 = OpenStorage( rElem, INTERNAL_MODE );
             BaseStorage* p2 = pDest->OpenOLEStorage( rNew, STREAM_WRITE | STREAM_SHARE_DENYALL, pEntry->bDirect );
 
-            sal_uLong nTmpErr = p2->GetError();
-            if( !nTmpErr )
+            if ( p2 )
             {
-                p2->SetClassId( p1->GetClassId() );
-                p1->CopyTo( p2 );
-                SetError( p1->GetError() );
-
-                nTmpErr = p2->GetError();
+                sal_uLong nTmpErr = p2->GetError();
                 if( !nTmpErr )
-                    p2->Commit();
+                {
+                    p2->SetClassId( p1->GetClassId() );
+                    p1->CopyTo( p2 );
+                    SetError( p1->GetError() );
+
+                    nTmpErr = p2->GetError();
+                    if( !nTmpErr )
+                        p2->Commit();
+                    else
+                        pDest->SetError( nTmpErr );
+                }
                 else
                     pDest->SetError( nTmpErr );
             }
-            else
-                pDest->SetError( nTmpErr );
 
             delete p1;
             delete p2;
@@ -735,20 +761,23 @@ sal_Bool Storage::CopyTo( const String& rElem, BaseStorage* pDest, const String&
             BaseStorageStream* p1 = OpenStream( rElem, INTERNAL_MODE );
             BaseStorageStream* p2 = pDest->OpenStream( rNew, STREAM_WRITE | STREAM_SHARE_DENYALL, pEntry->bDirect );
 
-            sal_uLong nTmpErr = p2->GetError();
-            if( !nTmpErr )
+            if ( p2 )
             {
-                p1->CopyTo( p2 );
-                SetError( p1->GetError() );
-
-                nTmpErr = p2->GetError();
+                sal_uLong nTmpErr = p2->GetError();
                 if( !nTmpErr )
-                    p2->Commit();
+                {
+                    p1->CopyTo( p2 );
+                    SetError( p1->GetError() );
+
+                    nTmpErr = p2->GetError();
+                    if( !nTmpErr )
+                        p2->Commit();
+                    else
+                        pDest->SetError( nTmpErr );
+                }
                 else
                     pDest->SetError( nTmpErr );
             }
-            else
-                pDest->SetError( nTmpErr );
 
             delete p1;
             delete p2;
@@ -999,17 +1028,23 @@ sal_Bool Storage::ValidateFAT()
 
 void Storage::SetDirty()
 {
-    pEntry->SetDirty();
+    if ( pEntry )
+        pEntry->SetDirty();
 }
 
 void Storage::SetClassId( const ClsId& rId )
 {
-    pEntry->aEntry.SetClassId( rId );
+    if ( pEntry )
+        pEntry->aEntry.SetClassId( rId );
 }
 
 const ClsId& Storage::GetClassId() const
 {
-    return pEntry->aEntry.GetClassId();
+    if ( pEntry )
+        return pEntry->aEntry.GetClassId();
+
+    static ClsId aDummyId = {0,0,0,0,0,0,0,0,0,0,0};
+    return aDummyId;
 }
 
 const SvStream* Storage::GetSvStream() const
diff --git a/sot/source/sdstor/stgavl.cxx b/sot/source/sdstor/stgavl.cxx
index bc38cf9..eb43a7a 100644
--- a/sot/source/sdstor/stgavl.cxx
+++ b/sot/source/sdstor/stgavl.cxx
@@ -17,6 +17,7 @@
  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  */
 
+#include <osl/diagnose.h>
 #include "stgavl.hxx"
 
 StgAvlNode::StgAvlNode()
@@ -33,13 +34,16 @@ StgAvlNode::~StgAvlNode()
 
 StgAvlNode* StgAvlNode::Find( StgAvlNode* pFind )
 {
-    StgAvlNode* p = this;
-    while( p )
+    if ( pFind )
     {
-        short nRes = p->Compare( pFind );
-        if( !nRes )
-            return p;
-        else p = ( nRes < 0 ) ? p->pLeft : p->pRight;
+        StgAvlNode* p = this;
+        while( p )
+        {
+            short nRes = p->Compare( pFind );
+            if( !nRes )
+                return p;
+            else p = ( nRes < 0 ) ? p->pLeft : p->pRight;
+        }
     }
     return NULL;
 }
@@ -53,23 +57,28 @@ short StgAvlNode::Locate
 {
     short nRes = 0;
     StgAvlNode* pCur = this;
+
+    OSL_ENSURE( pPivot && pParent && pPrev, "The pointers may not be NULL!" );
     *pParent = *pPrev = NULL;
     *pPivot = this;
 
     // search tree for insertion point
-
-    while( pCur != NULL )
+    if ( pFind )
     {
-        // check for pPivot
-        if( pCur->nBalance != 0 )
-            *pPivot = pCur, *pParent = *pPrev;
-        // save pPrev location and see what direction to go
-        *pPrev = pCur;
-        nRes = pCur->Compare( pFind );
-        if( nRes == 0 )
-            break;
-        else pCur = ( nRes < 0 ) ? pCur->pLeft : pCur->pRight;
+        while( pCur != NULL )
+        {
+            // check for pPivot
+            if( pCur->nBalance != 0 )
+                *pPivot = pCur, *pParent = *pPrev;
+            // save pPrev location and see what direction to go
+            *pPrev = pCur;
+            nRes = pCur->Compare( pFind );
+            if( nRes == 0 )
+                break;
+            else pCur = ( nRes < 0 ) ? pCur->pLeft : pCur->pRight;
+        }
     }
+
     return( nRes );
 }
 
@@ -81,8 +90,10 @@ short StgAvlNode::Adjust( StgAvlNode** pHeavy, StgAvlNode* pNew )
     StgAvlNode* pCur = this;
     short nDelta;
     // no traversing
-    if( pCur == pNew )
+    OSL_ENSURE( pHeavy && pNew, "The pointers is not allowed to be NULL!" );
+    if( pCur == pNew || !pNew )
         return nBalance;
+
     short nRes = Compare( pNew );
     if( nRes > 0 )
     {
@@ -119,6 +130,7 @@ short StgAvlNode::Adjust( StgAvlNode** pHeavy, StgAvlNode* pNew )
 
 StgAvlNode* StgAvlNode::RotLL()
 {
+    OSL_ENSURE( pLeft, "The pointer is not allowed to be NULL!" );
     StgAvlNode *pHeavy = pLeft;
     pLeft = pHeavy->pRight;
     pHeavy->pRight = this;
@@ -130,7 +142,7 @@ StgAvlNode* StgAvlNode::RotLL()
 
 StgAvlNode* StgAvlNode::RotLR()
 {
-
+    OSL_ENSURE( pLeft && pLeft->pRight, "The pointer is not allowed to be NULL!" );
     StgAvlNode* pHeavy = pLeft;
     StgAvlNode* pNewRoot = pHeavy->pRight;
 
@@ -162,6 +174,7 @@ StgAvlNode* StgAvlNode::RotLR()
 
 StgAvlNode* StgAvlNode::RotRR()
 {
+    OSL_ENSURE( pRight, "The pointer is not allowed to be NULL!" );
     StgAvlNode* pHeavy = pRight;
     pRight = pHeavy->pLeft;
     pHeavy->pLeft = this;
@@ -173,6 +186,7 @@ StgAvlNode* StgAvlNode::RotRR()
 
 StgAvlNode* StgAvlNode::RotRL()
 {
+    OSL_ENSURE( pRight && pRight->pLeft, "The pointer is not allowed to be NULL!" );
     StgAvlNode* pHeavy = pRight;
     StgAvlNode* pNewRoot = pHeavy->pLeft;
     pHeavy->pLeft = pNewRoot->pRight;
@@ -202,7 +216,7 @@ StgAvlNode* StgAvlNode::RotRL()
 
 StgAvlNode* StgAvlNode::Rem( StgAvlNode** p, StgAvlNode* pDel, sal_Bool bPtrs )
 {
-    if( *p )
+    if( p && *p && pDel )
     {
         StgAvlNode* pCur = *p;
         short nRes = bPtrs ? short( pCur == pDel ) : short(pCur->Compare( pDel ));
@@ -256,14 +270,11 @@ StgAvlNode* StgAvlNode::Rem( StgAvlNode** p, StgAvlNode* pDel, sal_Bool bPtrs )
 
 void StgAvlNode::StgEnum( short& n )
 {
-    if( this )
-    {
-        if( pLeft )
-            pLeft->StgEnum( n );
-        nId = n++;
-        if( pRight )
-            pRight->StgEnum( n );
-    }
+    if( pLeft )
+        pLeft->StgEnum( n );
+    nId = n++;
+    if( pRight )
+        pRight->StgEnum( n );
 }
 
 // Add node to AVL tree.
@@ -272,6 +283,9 @@ void StgAvlNode::StgEnum( short& n )
 sal_Bool StgAvlNode::Insert( StgAvlNode** pRoot, StgAvlNode* pIns )
 {
     StgAvlNode* pPivot, *pHeavy, *pNewRoot, *pParent, *pPrev;
+    if ( !pRoot )
+        return sal_False;
+
     // special case - empty tree
     if( *pRoot == NULL )
     {
@@ -282,6 +296,8 @@ sal_Bool StgAvlNode::Insert( StgAvlNode** pRoot, StgAvlNode* pIns )
     short nRes = (*pRoot)->Locate( pIns, &pPivot, &pParent, &pPrev );
     if( !nRes )
         return sal_False;
+    OSL_ENSURE( pPivot && pPrev, "The pointers may not be NULL!" );
+
     // add new node
     if( nRes < 0 )
         pPrev->pLeft = pIns;
@@ -319,6 +335,9 @@ sal_Bool StgAvlNode::Insert( StgAvlNode** pRoot, StgAvlNode* pIns )
 
 sal_Bool StgAvlNode::Remove( StgAvlNode** pRoot, StgAvlNode* pDel, sal_Bool bDel )
 {
+    if ( !pRoot )
+        return sal_False;
+
     // special case - empty tree
     if( *pRoot == NULL )
         return sal_False;
@@ -349,6 +368,9 @@ sal_Bool StgAvlNode::Remove( StgAvlNode** pRoot, StgAvlNode* pDel, sal_Bool bDel
 sal_Bool StgAvlNode::Move
     ( StgAvlNode** pRoot1, StgAvlNode** pRoot2, StgAvlNode* pMove )
 {
+    if ( !pRoot1 )
+        return sal_False;
+
     // special case - empty tree
     if( *pRoot1 == NULL )
         return sal_False;
diff --git a/sot/source/sdstor/stgcache.cxx b/sot/source/sdstor/stgcache.cxx
index c63e236..403dabe 100644
--- a/sot/source/sdstor/stgcache.cxx
+++ b/sot/source/sdstor/stgcache.cxx
@@ -60,6 +60,7 @@ typedef boost::unordered_map
 
 StgPage::StgPage( StgCache* p, short n )
 {
+    OSL_ENSURE( n >= 512, "Unexpected page size is provided!" );
     pCache = p;
     nData  = n;
     bDirty = sal_False;
@@ -123,11 +124,15 @@ StgCache::~StgCache()
 
 void StgCache::SetPhysPageSize( short n )
 {
-    nPageSize = n;
-    sal_uLong nPos = pStrm->Tell();
-    sal_uLong nFileSize = pStrm->Seek( STREAM_SEEK_TO_END );
-    nPages = lcl_GetPageCount( nFileSize, nPageSize );
-    pStrm->Seek( nPos );
+    OSL_ENSURE( n >= 512, "Unexpecte page size is provided!" );
+    if ( n >= 512 )
+    {
+        nPageSize = n;
+        sal_uLong nPos = pStrm->Tell();
+        sal_uLong nFileSize = pStrm->Seek( STREAM_SEEK_TO_END );
+        nPages = lcl_GetPageCount( nFileSize, nPageSize );
+        pStrm->Seek( nPos );
+    }
 }
 
 // Create a new cache element
@@ -181,19 +186,24 @@ StgPage* StgCache::Create( sal_Int32 nPg )
 
 void StgCache::Erase( StgPage* pElem )
 {
-    //remove from LRU
-    pElem->pNext1->pLast1 = pElem->pLast1;
-    pElem->pLast1->pNext1 = pElem->pNext1;
-    if( pCur == pElem )
-        pCur = ( pElem->pNext1 == pElem ) ? NULL : pElem->pNext1;
-    if( pLRUCache )
-        ((UsrStgPagePtr_Impl*)pLRUCache)->erase( pElem->nPage );
-    // remove from Sorted
-    pElem->pNext2->pLast2 = pElem->pLast2;
-    pElem->pLast2->pNext2 = pElem->pNext2;
-    if( pElem1 == pElem )
-        pElem1 = ( pElem->pNext2 == pElem ) ? NULL : pElem->pNext2;
-    delete pElem;
+    OSL_ENSURE( pElem, "The pointer should not be NULL!" );
+    if ( pElem )
+    {
+        OSL_ENSURE( pElem->pNext1 && pElem->pLast1, "The pointers may not be NULL!" );
+        //remove from LRU
+        pElem->pNext1->pLast1 = pElem->pLast1;
+        pElem->pLast1->pNext1 = pElem->pNext1;
+        if( pCur == pElem )
+            pCur = ( pElem->pNext1 == pElem ) ? NULL : pElem->pNext1;
+        if( pLRUCache )
+            ((UsrStgPagePtr_Impl*)pLRUCache)->erase( pElem->nPage );
+        // remove from Sorted
+        pElem->pNext2->pLast2 = pElem->pLast2;
+        pElem->pLast2->pNext2 = pElem->pNext2;
+        if( pElem1 == pElem )
+            pElem1 = ( pElem->pNext2 == pElem ) ? NULL : pElem->pNext2;
+        delete pElem;
+    }
 }
 
 // remove all cache elements without flushing them
@@ -225,9 +235,11 @@ StgPage* StgCache::Find( sal_Int32 nPage )
     {
         // page found
         StgPage* pFound = (*aIt).second;
+        OSL_ENSURE( pFound, "The pointer may not be NULL!" );
 
         if( pFound != pCur )
         {
+            OSL_ENSURE( pFound->pNext1 && pFound->pLast1, "The pointers may not be NULL!" );
             // remove from LRU
             pFound->pNext1->pLast1 = pFound->pLast1;
             pFound->pLast1->pNext1 = pFound->pNext1;
@@ -274,7 +286,10 @@ StgPage* StgCache::Copy( sal_Int32 nNew, sal_Int32 nOld )
         // old page: we must have this data!
         StgPage* q = Get( nOld, sal_True );
         if( q )
+        {
+            OSL_ENSURE( p->nData == q->nData, "Unexpected page size!" );
             memcpy( p->pData, q->pData, p->nData );
+        }
     }
     p->SetDirty();
     return p;
@@ -449,8 +464,12 @@ sal_Bool StgCache::Write( sal_Int32 nPage, void* pBuf, sal_Int32 nPg )
     if( Good() )
     {
         sal_uLong nPos = Page2Pos( nPage );
-        sal_uLong nBytes = nPg * nPageSize;
+        sal_uLong nBytes = 0;
+        if ( SAL_MAX_INT32 / nPg > nPageSize )
+            nBytes = nPg * nPageSize;
+
         // fixed address and size for the header
+        // nPageSize must be >= 512, otherwise the header can not be written here, we check it on import
         if( nPage == -1 )
             nPos = 0L, nBytes = 512;
         if( pStrm->Tell() != nPos )
diff --git a/sot/source/sdstor/stgcache.hxx b/sot/source/sdstor/stgcache.hxx
index 4e9961f..a57c903 100644
--- a/sot/source/sdstor/stgcache.hxx
+++ b/sot/source/sdstor/stgcache.hxx
@@ -62,7 +62,7 @@ public:
     SvStream* GetStrm()                 { return pStrm;     }
     void  SetStrm( SvStream*, sal_Bool );
     void  SetStrm( UCBStorageStream* );
-    sal_Bool  IsWritable()                  { return pStrm->IsWritable(); }
+	sal_Bool  IsWritable()					{ return ( pStrm && pStrm->IsWritable() ); }
     sal_Bool  Good()                        { return sal_Bool( nError == SVSTREAM_OK ); }
     sal_Bool  Bad()                         { return sal_Bool( nError != SVSTREAM_OK ); }
     sal_uLong GetError()                    { return nError;    }
diff --git a/sot/source/sdstor/stgdir.cxx b/sot/source/sdstor/stgdir.cxx
index 7b3e9e0..a86a3f2 100644
--- a/sot/source/sdstor/stgdir.cxx
+++ b/sot/source/sdstor/stgdir.cxx
@@ -44,9 +44,9 @@
 // Problem der Implementation: Keine Hierarchischen commits. Daher nur
 // insgesamt transaktionsorientert oder direkt.
 
-StgDirEntry::StgDirEntry( const void* pFrom, sal_Bool * pbOk ) : StgAvlNode()
+StgDirEntry::StgDirEntry( const void* pBuffer, sal_uInt32 nBufferLen, sal_Bool * pbOk ) : StgAvlNode()
 {
-    *pbOk = aEntry.Load( pFrom );
+	*pbOk = aEntry.Load( pBuffer, nBufferLen );
 
     InitMembers();
 }
@@ -93,8 +93,13 @@ StgDirEntry::~StgDirEntry()
 
 short StgDirEntry::Compare( const StgAvlNode* p ) const
 {
-    const StgDirEntry* pEntry = (const StgDirEntry*) p;
-    return aEntry.Compare( pEntry->aEntry );
+    short nResult = -1;
+    if ( p )
+    {
+        const StgDirEntry* pEntry = (const StgDirEntry*) p;
+        nResult = aEntry.Compare( pEntry->aEntry );
+    }
+    return nResult;
 }
 
 // Enumerate the entry numbers.
@@ -254,9 +259,9 @@ void StgDirEntry::OpenStream( StgIo& rIo, sal_Bool bForceBig )
     sal_Int32 nThreshold = (sal_uInt16) rIo.aHdr.GetThreshold();
     delete pStgStrm;
     if( !bForceBig && aEntry.GetSize() < nThreshold )
-        pStgStrm = new StgSmallStrm( rIo, this );
+		pStgStrm = new StgSmallStrm( rIo, *this );
     else
-        pStgStrm = new StgDataStrm( rIo, this );
+		pStgStrm = new StgDataStrm( rIo, *this );
     if( bInvalid && aEntry.GetSize() )
     {
         // This entry has invalid data, so delete that data
@@ -314,6 +319,10 @@ sal_Bool StgDirEntry::SetSize( sal_Int32 nNewSize )
     }
     else
     {
+        OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+        if ( !pStgStrm )
+            return sal_False;
+
         sal_Bool bRes = sal_False;
         StgIo& rIo = pStgStrm->GetIo();
         sal_Int32 nThreshold = rIo.aHdr.GetThreshold();
@@ -393,6 +402,10 @@ sal_Int32 StgDirEntry::Seek( sal_Int32 nNew )
     }
     else
     {
+        OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+        if ( !pStgStrm )
+            return nPos;
+
         sal_Int32 nSize = aEntry.GetSize();
 
         if( nNew < 0 )
@@ -412,6 +425,7 @@ sal_Int32 StgDirEntry::Seek( sal_Int32 nNew )
         pStgStrm->Pos2Page( nNew );
         nNew = pStgStrm->GetPos();
     }
+
     return nPos = nNew;
 }
 
@@ -426,7 +440,14 @@ sal_Int32 StgDirEntry::Read( void* p, sal_Int32 nLen )
     else if( pCurStrm )
         nLen = pCurStrm->Read( p, nLen );
     else
+    {
+        OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+        if ( !pStgStrm )
+            return 0;
+
         nLen = pStgStrm->Read( p, nLen );
+    }
+
     nPos += nLen;
     return nLen;
 }
@@ -444,6 +465,11 @@ sal_Int32 StgDirEntry::Write( const void* p, sal_Int32 nLen )
     // Is this stream opened in transacted mode? Do we have to make a copy?
     if( !bDirect && !pTmpStrm && !Strm2Tmp() )
         return 0;
+
+    OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+    if ( !pStgStrm )
+        return 0;
+
     if( pTmpStrm )
     {
         nLen = pTmpStrm->Write( p, nLen );
@@ -600,6 +626,10 @@ sal_Bool StgDirEntry::Strm2Tmp()
             {
                 if( n )
                 {
+                    OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+                    if ( !pStgStrm )
+                        return sal_False;
+
                     sal_uInt8 aTempBytes[ 4096 ];
                     void* p = static_cast<void*>( aTempBytes );
                     pStgStrm->Pos2Page( 0L );
@@ -621,9 +651,13 @@ sal_Bool StgDirEntry::Strm2Tmp()
             else
                 n = 1;
         }
+
         if( n )
         {
-            pStgStrm->GetIo().SetError( pTmpStrm->GetError() );
+            OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+            if ( pStgStrm )
+                pStgStrm->GetIo().SetError( pTmpStrm->GetError() );
+
             delete pTmpStrm;
             pTmpStrm = NULL;
             return sal_False;
@@ -641,6 +675,9 @@ sal_Bool StgDirEntry::Tmp2Strm()
         pTmpStrm = pCurStrm, pCurStrm = NULL;
     if( pTmpStrm )
     {
+        OSL_ENSURE( pStgStrm, "The pointer may not be NULL!" );
+        if ( !pStgStrm )
+            return sal_False;
         sal_uLong n = pTmpStrm->GetSize();
         StgStrm* pNewStrm;
         StgIo& rIo = pStgStrm->GetIo();
@@ -777,7 +814,7 @@ void StgDirStrm::SetupEntry( sal_Int32 n, StgDirEntry* pUpper )
     if( p )
     {
         sal_Bool bOk(sal_False);
-        StgDirEntry* pCur = new StgDirEntry( p, &bOk );
+        StgDirEntry* pCur = new StgDirEntry( p, STGENTRY_SIZE, &bOk );
 
         if( !bOk )
         {
@@ -854,6 +891,9 @@ void StgDirStrm::SetupEntry( sal_Int32 n, StgDirEntry* pUpper )
 sal_Bool StgDirStrm::SetSize( sal_Int32 nBytes )
 {
     // Always allocate full pages
+    if ( nBytes < 0 )
+        nBytes = 0;
+
     nBytes = ( ( nBytes + nPageSize - 1 ) / nPageSize ) * nPageSize;
     return StgStrm::SetSize( nBytes );
 }
@@ -862,7 +902,7 @@ sal_Bool StgDirStrm::SetSize( sal_Int32 nBytes )
 
 sal_Bool StgDirStrm::Store()
 {
-    if( !pRoot->IsDirty() )
+    if( !pRoot || !pRoot->IsDirty() )
         return sal_True;
     if( !pRoot->StoreStreams( rIo ) )
         return sal_False;
diff --git a/sot/source/sdstor/stgdir.hxx b/sot/source/sdstor/stgdir.hxx
index 9edceb7..450bf03 100644
--- a/sot/source/sdstor/stgdir.hxx
+++ b/sot/source/sdstor/stgdir.hxx
@@ -62,7 +62,7 @@ public:
     sal_Bool         bDirect;                   // sal_True: direct mode
     sal_Bool         bZombie;                   // sal_True: Removed From StgIo
     sal_Bool         bInvalid;                  // sal_True: invalid entry
-    StgDirEntry( const void*, sal_Bool * pbOk );
+	StgDirEntry( const void* pBuffer, sal_uInt32 nBufferLen, sal_Bool * pbOk );
     StgDirEntry( const StgEntry& );
     ~StgDirEntry();
 
diff --git a/sot/source/sdstor/stgelem.cxx b/sot/source/sdstor/stgelem.cxx
index efdaec2..39fd406 100644
--- a/sot/source/sdstor/stgelem.cxx
+++ b/sot/source/sdstor/stgelem.cxx
@@ -70,21 +70,44 @@ SvStream& operator <<( SvStream& r, const ClsId& rId )
 ///////////////////////////// class StgHeader ////////////////////////////
 
 StgHeader::StgHeader()
+: nVersion( 0 )
+, nByteOrder( 0 )
+, nPageSize( 0 )
+, nDataPageSize( 0 )
+, bDirty( 0 )
+, nFATSize( 0 )
+, nTOCstrm( 0 )
+, nReserved( 0 )
+, nThreshold( 0 )
+, nDataFAT( 0 )
+, nDataFATSize( 0 )
+, nMasterChain( 0 )
+, nMaster( 0 )
 {
-    memset( this, 0, sizeof( StgHeader ) );
+    memset( cSignature, 0, sizeof( cSignature ) );
+    memset( &aClsId, 0, sizeof( ClsId ) );
+    memset( cReserved, 0, sizeof( cReserved ) );
+    memset( nMasterFAT, 0, sizeof( nMasterFAT ) );
 }
 
 void StgHeader::Init()
 {
-    memset( this, 0, sizeof( StgHeader ) );
     memcpy( cSignature, cStgSignature, 8 );
+    memset( &aClsId, 0, sizeof( ClsId ) );
     nVersion      = 0x0003003B;
     nByteOrder    = 0xFFFE;
     nPageSize     = 9;          // 512 bytes
     nDataPageSize = 6;          // 64 bytes
+    bDirty = 0;
+    memset( cReserved, 0, sizeof( cReserved ) );
+    nFATSize = 0;
+    nTOCstrm = 0;
+    nReserved = 0;
     nThreshold    = 4096;
+    nDataFAT = 0;
     nDataFATSize  = 0;
     nMasterChain  = STG_EOF;
+
     SetTOCStart( STG_EOF );
     SetDataFATStart( STG_EOF );
     for( short i = 0; i < 109; i++ )
@@ -93,9 +116,15 @@ void StgHeader::Init()
 
 sal_Bool StgHeader::Load( StgIo& rIo )
 {
-    SvStream& r = *rIo.GetStrm();
-    Load( r );
-    return rIo.Good();
+    sal_Bool bResult = sal_False;
+    if ( rIo.GetStrm() )
+    {
+        SvStream& r = *rIo.GetStrm();
+        bResult = Load( r );
+	    bResult = ( bResult && rIo.Good() );
+    }
+
+    return bResult;
 }
 
 sal_Bool StgHeader::Load( SvStream& r )
@@ -118,7 +147,8 @@ sal_Bool StgHeader::Load( SvStream& r )
       >> nMaster;                   // 48 # of additional master blocks
     for( short i = 0; i < 109; i++ )
         r >> nMasterFAT[ i ];
-    return r.GetErrorCode() == ERRCODE_NONE;
+
+    return ( r.GetErrorCode() == ERRCODE_NONE && Check() );
 }
 
 sal_Bool StgHeader::Store( StgIo& rIo )
@@ -157,8 +187,15 @@ sal_Bool StgHeader::Check()
 {
     return sal_Bool( memcmp( cSignature, cStgSignature, 8 ) == 0
             && (short) ( nVersion >> 16 ) == 3 )
+            && nPageSize == 9
             && lcl_wontoverflow(nPageSize)
-            && lcl_wontoverflow(nDataPageSize);
+            && lcl_wontoverflow(nDataPageSize)
+            && nFATSize > 0
+            && nTOCstrm >= 0
+            && nThreshold > 0
+            && ( nDataFAT == -2 || ( nDataFAT >= 0 && nDataFATSize > 0 ) )
+            && ( nMasterChain == -2 || ( nMasterChain >=0 && nMaster > 109 ) )
+            && nMaster >= 0;
 }
 
 sal_Int32 StgHeader::GetFATPage( short n ) const
@@ -213,7 +250,21 @@ void StgHeader::SetMasters( sal_Int32 n )
 
 sal_Bool StgEntry::Init()
 {
-    memset( this, 0, sizeof (StgEntry) - sizeof( String ) );
+    memset( nName, 0, sizeof( nName ) );
+    nNameLen = 0;
+    cType = 0;
+    cFlags = 0;
+    nLeft = 0;
+    nRight = 0;
+    nChild = 0;
+	memset( &aClsId, 0, sizeof( aClsId ) );
+    nFlags = 0;
+    nMtime[0] = 0; nMtime[1] = 0;
+    nAtime[0] = 0; nAtime[1] = 0;
+    nPage1 = 0;
+    nSize = 0;
+    nUnknown = 0;
+
     SetLeaf( STG_LEFT,  STG_FREE );
     SetLeaf( STG_RIGHT, STG_FREE );
     SetLeaf( STG_CHILD, STG_FREE );
@@ -306,9 +357,12 @@ short StgEntry::Compare( const StgEntry& r ) const
 // These load/store operations are a bit more complicated,
 // since they have to copy their contents into a packed structure.
 
-sal_Bool StgEntry::Load( const void* pFrom )
+sal_Bool StgEntry::Load( const void* pFrom, sal_uInt32 nBufSize )
 {
-    SvMemoryStream r( (sal_Char*) pFrom, 128, STREAM_READ );
+    if ( nBufSize < 128 )
+        return sal_False;
+
+	SvMemoryStream r( (sal_Char*) pFrom, nBufSize, STREAM_READ );
     for( short i = 0; i < 32; i++ )
         r >> nName[ i ];            // 00 name as WCHAR
     r >> nNameLen                   // 40 size of name in bytes including 00H
@@ -334,7 +388,7 @@ sal_Bool StgEntry::Load( const void* pFrom )
     if (n > nMaxLegalStr)
         return sal_False;
 
-    if (nSize < 0 && cType != STG_STORAGE)
+	if ((nSize < 0 && cType != STG_STORAGE) || (nPage1 < 0 && nPage1 != -2))
     {
         // the size makes no sense for the substorage
         // TODO/LATER: actually the size should be an unsigned value, but in this case it would mean a stream of more than 2Gb
diff --git a/sot/source/sdstor/stgelem.hxx b/sot/source/sdstor/stgelem.hxx
index 1a85e1f..256a6de 100644
--- a/sot/source/sdstor/stgelem.hxx
+++ b/sot/source/sdstor/stgelem.hxx
@@ -55,6 +55,7 @@ class StgHeader
     sal_Int32   nMasterFAT[ 109 ];          // 4C first 109 master FAT pages
 public:
     StgHeader();
+
     void  Init();                       // initialize the header
     sal_Bool  Load( StgIo& );
     sal_Bool  Load( SvStream& );
@@ -128,7 +129,7 @@ public:
     void    GetName( String& rName ) const;
                                         // fill in the name
     short   Compare( const StgEntry& ) const;   // compare two entries
-    sal_Bool    Load( const void* );
+	sal_Bool	Load( const void* pBuffer, sal_uInt32 nBufSize );
     void    Store( void* );
     StgEntryType GetType() const        { return (StgEntryType) cType;  }
     sal_Int32   GetStartPage() const        { return nPage1; }
diff --git a/sot/source/sdstor/stgio.cxx b/sot/source/sdstor/stgio.cxx
index b4c3008..8b15a9e 100644
--- a/sot/source/sdstor/stgio.cxx
+++ b/sot/source/sdstor/stgio.cxx
@@ -60,6 +60,8 @@ sal_Bool StgIo::Load()
             else
                 return sal_False;
         }
+        else
+            return sal_False;
     }
     return Good();
 }
@@ -93,7 +95,7 @@ void StgIo::SetupStreams()
         if( pRoot )
         {
             pDataFAT = new StgDataStrm( *this, aHdr.GetDataFATStart(), -1 );
-            pDataStrm = new StgDataStrm( *this, pRoot );
+			pDataStrm = new StgDataStrm( *this, *pRoot );
             pDataFAT->SetIncrement( 1 << aHdr.GetPageSize() );
             pDataStrm->SetIncrement( GetDataPageSize() );
             pDataStrm->SetEntry( *pRoot );
@@ -115,7 +117,7 @@ short StgIo::GetDataPageSize()
 sal_Bool StgIo::CommitAll()
 {
     // Store the data (all streams and the TOC)
-    if( pTOC->Store() )
+    if( pTOC && pTOC->Store() && pDataFAT )
     {
         if( Commit() )
         {
@@ -152,7 +154,11 @@ public:
 
     sal_Int32 GetPageSize() { return nPageSize; }
     sal_Int32 Count() { return nPages; }
-    sal_Int32 operator[]( sal_Int32 nOffset ) { return pFat[ nOffset ]; }
+	sal_Int32 operator[]( sal_Int32 nOffset )
+    {
+        OSL_ENSURE( nOffset >= 0 && nOffset < nPages, "Unexpected offset!" );
+        return nOffset >= 0 && nOffset < nPages ? pFat[ nOffset ] : -2;
+    }
 
     sal_uLong Mark( sal_Int32 nPage, sal_Int32 nCount, sal_Int32 nExpect );
     sal_Bool HasUnrefChains();
@@ -200,6 +206,8 @@ sal_uLong EasyFat::Mark( sal_Int32 nPage, sal_Int32 nCount, sal_Int32 nExpect )
     sal_Int32 nCurPage = nPage;
     while( nCount != 0 )
     {
+		if( nCurPage < 0 || nCurPage >= nPages )
+			return FAT_OUTOFBOUNDS;
         pFree[ nCurPage ] = sal_False;
         nCurPage = pFat[ nCurPage ];
         //Stream zu lang
@@ -213,9 +221,6 @@ sal_uLong EasyFat::Mark( sal_Int32 nPage, sal_Int32 nCount, sal_Int32 nExpect )
             nCount = 1;
         if( nCount != -1 )
             nCount--;
-        // Naechster Block nicht in der FAT
-        if( nCount && ( nCurPage < 0 || nCurPage >= nPages ) )
-            return FAT_OUTOFBOUNDS;
     }
     return FAT_OK;
 }
@@ -259,6 +264,9 @@ sal_uLong Validator::ValidateMasterFATs()
 {
     sal_Int32 nCount = rIo.aHdr.GetFATSize();
     sal_uLong nErr;
+    if ( !rIo.pFAT )
+	    return FAT_INMEMORYERROR;
+
     for( sal_Int32 i = 0; i < nCount; i++ )
     {
         if( ( nErr = aFat.Mark(rIo.pFAT->GetPage( short(i), sal_False ), aFat.GetPageSize(), -3 )) != FAT_OK )
@@ -267,11 +275,15 @@ sal_uLong Validator::ValidateMasterFATs()
     if( rIo.aHdr.GetMasters() )
         if( ( nErr = aFat.Mark(rIo.aHdr.GetFATChain( ), aFat.GetPageSize(), -4 )) != FAT_OK )
             return nErr;
+
     return FAT_OK;
 }
 
 sal_uLong Validator::MarkAll( StgDirEntry *pEntry )
 {
+    if ( !pEntry )
+	    return FAT_INMEMORYERROR;
+
     StgIterator aIter( *pEntry );
     sal_uLong nErr = FAT_OK;
     for( StgDirEntry* p = aIter.First(); p ; p = aIter.Next() )
@@ -298,6 +310,9 @@ sal_uLong Validator::MarkAll( StgDirEntry *pEntry )
 
 sal_uLong Validator::ValidateDirectoryEntries()
 {
+    if ( !rIo.pTOC )
+	    return FAT_INMEMORYERROR;
+
     // Normale DirEntries
     sal_uLong nErr = MarkAll( rIo.pTOC->GetRoot() );
     if( nErr != FAT_OK )
@@ -347,7 +362,11 @@ sal_uLong StgIo::ValidateFATs()
         Validator *pV = new Validator( *this );
         sal_Bool bRet1 = !pV->IsError(), bRet2 = sal_True ;
         delete pV;
+
         SvFileStream *pFileStrm = ( SvFileStream *) GetStrm();
+        if ( !pFileStrm )
+            return FAT_INMEMORYERROR;
+
         StgIo aIo;
         if( aIo.Open( pFileStrm->GetFileName(),
                       STREAM_READ  | STREAM_SHARE_DENYNONE) &&
diff --git a/sot/source/sdstor/stgole.cxx b/sot/source/sdstor/stgole.cxx
index 0bf6d44..9616347 100644
--- a/sot/source/sdstor/stgole.cxx
+++ b/sot/source/sdstor/stgole.cxx
@@ -115,23 +115,28 @@ sal_Bool StgCompObjStream::Load()
         *this >> aClsId;
         sal_Int32 nLen1 = 0;
         *this >> nLen1;
-        // higher bits are ignored
-        nLen1 &= 0xFFFF;
-        sal_Char* p = new sal_Char[ (sal_uInt16) nLen1 ];
-        if( Read( p, nLen1 ) == (sal_uLong) nLen1 )
+        if ( nLen1 > 0 )
         {
-            //The encoding here is "ANSI", which is pretty useless seeing as
-            //the actual codepage used doesn't seem to be specified/stored
-            //anywhere :-(. Might as well pick 1252 and be consistent on
-            //all platforms and envs
-            //http://www.openoffice.org/nonav/issues/showattachment.cgi/68668/Orginal%20Document.doc
-            //for a good edge-case example
-            aUserName = nLen1 ? String( p, RTL_TEXTENCODING_MS_1252 ) : String();
-            nCbFormat = ReadClipboardFormat( *this );
+            // higher bits are ignored
+            sal_uLong nStrLen = ::std::min( nLen1, (sal_Int32)0xFFFE );
+
+            sal_Char* p = new sal_Char[ nStrLen+1 ];
+            p[nStrLen] = 0;
+            if( Read( p, nStrLen ) == nStrLen )
+            {
+                //The encoding here is "ANSI", which is pretty useless seeing as
+                //the actual codepage used doesn't seem to be specified/stored
+                //anywhere :-(. Might as well pick 1252 and be consistent on
+                //all platforms and envs
+                //http://www.openoffice.org/nonav/issues/showattachment.cgi/68668/Orginal%20Document.doc
+                //for a good edge-case example
+                aUserName = nStrLen ? String( p, RTL_TEXTENCODING_MS_1252 ) : String();
+                nCbFormat = ReadClipboardFormat( *this );
+            }
+            else
+                SetError( SVSTREAM_GENERALERROR );
+            delete [] p;
         }
-        else
-            SetError( SVSTREAM_GENERALERROR );
-        delete [] p;
     }
     return sal_Bool( GetError() == SVSTREAM_OK );
 }
diff --git a/sot/source/sdstor/stgstrms.cxx b/sot/source/sdstor/stgstrms.cxx
index 3a4bbf9..927fb53 100644
--- a/sot/source/sdstor/stgstrms.cxx
+++ b/sot/source/sdstor/stgstrms.cxx
@@ -72,7 +72,7 @@ sal_Int32 StgFAT::GetNextPage( sal_Int32 nPg )
 {
     if( nPg >= 0 )
     {
-        StgPage* pPg = GetPhysPage( nPg << 2 );
+      StgPage* pPg = GetPhysPage( nPg << 2 );
         nPg = pPg ? pPg->GetPage( nOffset >> 2 ) : STG_EOF;
     }
     return nPg;
@@ -260,19 +260,22 @@ sal_Int32 StgFAT::AllocPages( sal_Int32 nBgn, sal_Int32 nPgs )
 sal_Bool StgFAT::InitNew( sal_Int32 nPage1 )
 {
     sal_Int32 n = ( ( rStrm.GetSize() >> 2 ) - nPage1 ) / nEntries;
-    while( n-- )
+    if ( n > 0 )
     {
-        StgPage* pPg = NULL;
-        // Position within the underlying stream
-        // use the Pos2Page() method of the stream
-        rStrm.Pos2Page( nPage1 << 2 );
-        // Initialize the page
-        pPg = rStrm.GetIo().Copy( rStrm.GetPage(), STG_FREE );
-        if ( !pPg )
-            return sal_False;
-        for( short i = 0; i < nEntries; i++ )
-            pPg->SetPage( i, STG_FREE );
-        nPage1++;
+        while( n-- )
+        {
+            StgPage* pPg = NULL;
+            // Position within the underlying stream
+            // use the Pos2Page() method of the stream
+            rStrm.Pos2Page( nPage1 << 2 );
+            // Initialize the page
+            pPg = rStrm.GetIo().Copy( rStrm.GetPage(), STG_FREE );
+            if ( !pPg )
+                return sal_False;
+            for( short i = 0; i < nEntries; i++ )
+                pPg->SetPage( i, STG_FREE );
+            nPage1++;
+        }
     }
     return sal_True;
 }
@@ -365,6 +368,9 @@ void StgStrm::scanBuildPageChainCache(sal_Int32 *pOptionalCalcSize)
 // behind the EOF.
 sal_Bool StgStrm::Pos2Page( sal_Int32 nBytePos )
 {
+    if ( !pFat )
+        return sal_False;
+
     // Values < 0 seek to the end
     if( nBytePos < 0 || nBytePos >= nSize )
         nBytePos = nSize;
@@ -447,6 +453,9 @@ StgPage* StgStrm::GetPhysPage( sal_Int32 nBytePos, sal_Bool bForce )
 
 sal_Bool StgStrm::Copy( sal_Int32 nFrom, sal_Int32 nBytes )
 {
+    if ( !pFat )
+        return sal_False;
+
     m_aPagesCache.clear();
 
     sal_Int32 nTo = nStart;
@@ -475,6 +484,9 @@ sal_Bool StgStrm::Copy( sal_Int32 nFrom, sal_Int32 nBytes )
 
 sal_Bool StgStrm::SetSize( sal_Int32 nBytes )
 {
+    if ( nBytes < 0 || !pFat )
+        return sal_False;
+
     m_aPagesCache.clear();
 
     // round up to page size
@@ -548,6 +560,7 @@ sal_Bool StgFATStrm::Pos2Page( sal_Int32 nBytePos )
 
 StgPage* StgFATStrm::GetPhysPage( sal_Int32 nBytePos, sal_Bool bForce )
 {
+    OSL_ENSURE( nBytePos >= 0, "The value may not be negative!" );
     return rIo.Get( nBytePos / ( nPageSize >> 2 ), bForce );
 }
 
@@ -555,6 +568,7 @@ StgPage* StgFATStrm::GetPhysPage( sal_Int32 nBytePos, sal_Bool bForce )
 
 sal_Int32 StgFATStrm::GetPage( short nOff, sal_Bool bMake, sal_uInt16 *pnMasterAlloc )
 {
+    OSL_ENSURE( nOff >= 0, "The offset may not be negative!" );
     if( pnMasterAlloc ) *pnMasterAlloc = 0;
     if( nOff < rIo.aHdr.GetFAT1Size() )
         return rIo.aHdr.GetFATPage( nOff );
@@ -631,6 +645,7 @@ sal_Int32 StgFATStrm::GetPage( short nOff, sal_Bool bMake, sal_uInt16 *pnMasterA
 
 sal_Bool StgFATStrm::SetPage( short nOff, sal_Int32 nNewPage )
 {
+    OSL_ENSURE( nOff >= 0, "The offset may not be negative!" );
     m_aPagesCache.clear();
 
     sal_Bool bRes = sal_True;
@@ -682,6 +697,9 @@ sal_Bool StgFATStrm::SetPage( short nOff, sal_Int32 nNewPage )
 
 sal_Bool StgFATStrm::SetSize( sal_Int32 nBytes )
 {
+    if ( nBytes < 0 )
+        return sal_False;
+
     m_aPagesCache.clear();
 
     // Set the number of entries to a multiple of the page size
@@ -710,6 +728,7 @@ sal_Bool StgFATStrm::SetSize( sal_Int32 nBytes )
 
             // find a free page using the FAT allocator
             sal_Int32 n = 1;
+            OSL_ENSURE( pFat, "The pointer is always initializer here!" );
             sal_Int32 nNewPage = pFat->FindBlock( n );
             if( nNewPage == STG_EOF )
             {
@@ -782,21 +801,25 @@ StgDataStrm::StgDataStrm( StgIo& r, sal_Int32 nBgn, sal_Int32 nLen ) : StgStrm(
     Init( nBgn, nLen );
 }
 
-StgDataStrm::StgDataStrm( StgIo& r, StgDirEntry* p ) : StgStrm( r )
+StgDataStrm::StgDataStrm( StgIo& r, StgDirEntry& p ) : StgStrm( r )
 {
-    pEntry = p;
-    Init( p->aEntry.GetLeaf( STG_DATA ),
-          p->aEntry.GetSize() );
+    pEntry = &p;
+    Init( p.aEntry.GetLeaf( STG_DATA ),
+          p.aEntry.GetSize() );
 }
 
 void StgDataStrm::Init( sal_Int32 nBgn, sal_Int32 nLen )
 {
-    pFat = new StgFAT( *rIo.pFAT, sal_True );
+    if ( rIo.pFAT )
+        pFat = new StgFAT( *rIo.pFAT, sal_True );
+
+    OSL_ENSURE( pFat, "The pointer should not be empty!" );
+
     nStart = nPage = nBgn;
     nSize  = nLen;
     nIncr  = 1;
     nOffset = 0;
-    if( nLen < 0 )
+    if( nLen < 0 && pFat )
     {
         // determine the actual size of the stream by scanning
         // the FAT chain and counting the # of pages allocated
@@ -808,6 +831,9 @@ void StgDataStrm::Init( sal_Int32 nBgn, sal_Int32 nLen )
 
 sal_Bool StgDataStrm::SetSize( sal_Int32 nBytes )
 {
+    if ( !pFat )
+        return sal_False;
+
     nBytes = ( ( nBytes + nIncr - 1 ) / nIncr ) * nIncr;
     sal_Int32 nOldSz = nSize;
     if( ( nOldSz != nBytes ) )
@@ -913,12 +939,15 @@ sal_Int32 StgDataStrm::Read( void* pBuf, sal_Int32 n )
 
 sal_Int32 StgDataStrm::Write( const void* pBuf, sal_Int32 n )
 {
+    if ( n < 0 )
+        return 0;
+
     sal_Int32 nDone = 0;
     if( ( nPos + n ) > nSize )
     {
         sal_Int32 nOld = nPos;
         if( !SetSize( nPos + n ) )
-            return sal_False;
+            return 0;
         Pos2Page( nOld );
     }
     while( n )
@@ -983,17 +1012,20 @@ StgSmallStrm::StgSmallStrm( StgIo& r, sal_Int32 nBgn, sal_Int32 nLen ) : StgStrm
     Init( nBgn, nLen );
 }
 
-StgSmallStrm::StgSmallStrm( StgIo& r, StgDirEntry* p ) : StgStrm( r )
+StgSmallStrm::StgSmallStrm( StgIo& r, StgDirEntry& p ) : StgStrm( r )
 {
-    pEntry = p;
-    Init( p->aEntry.GetLeaf( STG_DATA ),
-          p->aEntry.GetSize() );
+    pEntry = &p;
+    Init( p.aEntry.GetLeaf( STG_DATA ),
+          p.aEntry.GetSize() );
 }
 
 void StgSmallStrm::Init( sal_Int32 nBgn, sal_Int32 nLen )
 {
-    pFat = new StgFAT( *rIo.pDataFAT, sal_False );
+    if ( rIo.pDataFAT )
+        pFat = new StgFAT( *rIo.pDataFAT, sal_False );
     pData = rIo.pDataStrm;
+    OSL_ENSURE( pFat && pData, "The pointers should not be empty!" );
+
     nPageSize = rIo.GetDataPageSize();
     nStart =
     nPage  = nBgn;
@@ -1018,7 +1050,7 @@ sal_Int32 StgSmallStrm::Read( void* pBuf, sal_Int32 n )
             nBytes = (short) n;
         if( nBytes )
         {
-            if( !pData->Pos2Page( nPage * nPageSize + nOffset ) )
+            if( !pData || !pData->Pos2Page( nPage * nPageSize + nOffset ) )
                 break;
             // all reading thru the stream
             short nRes = (short) pData->Read( (sal_uInt8*)pBuf + nDone, nBytes );
@@ -1058,9 +1090,10 @@ sal_Int32 StgSmallStrm::Write( const void* pBuf, sal_Int32 n )
         {
             // all writing goes thru the stream
             sal_Int32 nDataPos = nPage * nPageSize + nOffset;
-            if( pData->GetSize() < ( nDataPos + nBytes ) )
-                if( !pData->SetSize( nDataPos + nBytes ) )
-                    break;
+            if ( !pData
+              || ( pData->GetSize() < ( nDataPos + nBytes )
+                && !pData->SetSize( nDataPos + nBytes ) ) )
+                break;
             if( !pData->Pos2Page( nDataPos ) )
                 break;
             short nRes = (short) pData->Write( (sal_uInt8*)pBuf + nDone, nBytes );
diff --git a/sot/source/sdstor/stgstrms.hxx b/sot/source/sdstor/stgstrms.hxx
index fb97d09..02fb606 100644
--- a/sot/source/sdstor/stgstrms.hxx
+++ b/sot/source/sdstor/stgstrms.hxx
@@ -117,7 +117,7 @@ class StgDataStrm : public StgStrm      // a physical data stream
     void Init( sal_Int32 nBgn, sal_Int32 nLen );
 public:
     StgDataStrm( StgIo&, sal_Int32 nBgn, sal_Int32 nLen=-1 );
-    StgDataStrm( StgIo&, StgDirEntry* );
+	StgDataStrm( StgIo&, StgDirEntry& );
     void* GetPtr( sal_Int32 nPos, sal_Bool bForce, sal_Bool bDirty );
     void SetIncrement( short n ) { nIncr = n ; }
     virtual sal_Bool SetSize( sal_Int32 );
@@ -136,7 +136,7 @@ class StgSmallStrm : public StgStrm     // a logical data stream
     void Init( sal_Int32 nBgn, sal_Int32 nLen );
 public:
     StgSmallStrm( StgIo&, sal_Int32 nBgn, sal_Int32 nLen );
-    StgSmallStrm( StgIo&, StgDirEntry* );
+	StgSmallStrm( StgIo&, StgDirEntry& );
     virtual sal_Int32 Read( void*, sal_Int32 );
     virtual sal_Int32 Write( const void*, sal_Int32 );
     virtual sal_Bool IsSmallStrm() const { return sal_True; }
diff --git a/sot/source/sdstor/storinfo.cxx b/sot/source/sdstor/storinfo.cxx
index 8bce0b7..df1c12c 100644
--- a/sot/source/sdstor/storinfo.cxx
+++ b/sot/source/sdstor/storinfo.cxx
@@ -35,8 +35,8 @@ sal_uLong ReadClipboardFormat( SvStream & rStm )
     if( nLen > 0 )
     {
         // get a string name
-        sal_Char * p = new sal_Char[ nLen ];
-        if( rStm.Read( p, nLen ) == (sal_uLong) nLen )
+        sal_Char * p = new( ::std::nothrow ) sal_Char[ nLen ];
+        if( p && rStm.Read( p, nLen ) == (sal_uLong) nLen )
         {
             nFormat = SotExchange::RegisterFormatName(rtl::OUString(p, nLen-1, RTL_TEXTENCODING_ASCII_US));
         }
commit c75e2ed27d5da71891ed7a148ff9603c58eaa58e
Author: Eike Rathke [er] <eike.rathke at oracle.com>
Date:   Fri Jul 27 17:29:56 2012 +0200

    Lotus WK: fix warnings

diff --git a/sc/source/filter/excel/fontbuff.cxx b/sc/source/filter/excel/fontbuff.cxx
index af2521d..2f1f0b7 100644
--- a/sc/source/filter/excel/fontbuff.cxx
+++ b/sc/source/filter/excel/fontbuff.cxx
@@ -47,8 +47,6 @@
 #include "patattr.hxx"
 #include "ftools.hxx"
 
-const sal_uInt16    LotusFontBuffer::nSize = 8;
-
 void LotusFontBuffer::Fill( const sal_uInt8 nIndex, SfxItemSet& rItemSet )
 {
     sal_uInt8   nIntIndex = nIndex & 0x07;
diff --git a/sc/source/filter/excel/tokstack.cxx b/sc/source/filter/excel/tokstack.cxx
index 4dec7da..cf8c400 100644
--- a/sc/source/filter/excel/tokstack.cxx
+++ b/sc/source/filter/excel/tokstack.cxx
@@ -117,7 +117,7 @@ TokenPool::TokenPool( void )
 
 TokenPool::~TokenPool()
 {
-    sal_uInt16  n;
+    sal_uInt16	n;
 
     delete[] pP_Id;
     delete[] pElement;
@@ -126,32 +126,20 @@ TokenPool::~TokenPool()
     delete[] pP_Dbl;
     delete[] pP_Err;
 
-    for( n = 0 ; n < nP_RefTr ; n++/*, pAktTr++*/ )
-    {
-        if( ppP_RefTr[ n ] )
-            delete ppP_RefTr[ n ];
-    }
+    for( n = 0 ; n < nP_RefTr ; n++ )
+        delete ppP_RefTr[ n ];
     delete[] ppP_RefTr;
 
-    for( n = 0 ; n < nP_Str ; n++/*, pAktStr++*/ )
-    {
-        if( ppP_Str[ n ] )
-            delete ppP_Str[ n ];
-    }
+    for( n = 0 ; n < nP_Str ; n++ )
+        delete ppP_Str[ n ];
     delete[] ppP_Str;
 
     for( n = 0 ; n < nP_Ext ; n++ )
-    {
-        if( ppP_Ext[ n ] )
-            delete ppP_Ext[ n ];
-    }
+        delete ppP_Ext[ n ];
     delete[] ppP_Ext;
 
     for( n = 0 ; n < nP_Nlf ; n++ )
-    {
-        if( ppP_Nlf[ n ] )
-            delete ppP_Nlf[ n ];
-    }
+        delete ppP_Nlf[ n ];
     delete[] ppP_Nlf;
 
     for( n = 0 ; n < nP_Matrix ; n++ )
@@ -165,12 +153,34 @@ TokenPool::~TokenPool()
 }
 
 
-void TokenPool::GrowString( void )
+/** Returns the new number of elements, or 0 if overflow. */
+static sal_uInt16 lcl_canGrow( sal_uInt16 nOld, sal_uInt16 nByMin = 1 )
 {
-    sal_uInt16      nP_StrNew = nP_Str * 2;
+    if (!nOld)
+        return nByMin ? nByMin : 1;
+    if (nOld == SAL_MAX_UINT16)
+        return 0;
+    sal_uInt32 nNew = ::std::max( static_cast<sal_uInt32>(nOld) * 2,
+            static_cast<sal_uInt32>(nOld) + nByMin);
+    if (nNew > SAL_MAX_UINT16)
+        nNew = SAL_MAX_UINT16;
+    if (nNew - nByMin < nOld)
+        nNew = 0;
+    return static_cast<sal_uInt16>(nNew);
+}
+
+
+bool TokenPool::GrowString( void )
+{
+    sal_uInt16 nP_StrNew = lcl_canGrow( nP_Str);
+    if (!nP_StrNew)
+        return false;
+
     sal_uInt16      nL;
 
-    String**    ppP_StrNew = new String *[ nP_StrNew ];
+	String**	ppP_StrNew = new (::std::nothrow) String *[ nP_StrNew ];
+    if (!ppP_StrNew)
+        return false;
 
     for( nL = 0 ; nL < nP_Str ; nL++ )
         ppP_StrNew[ nL ] = ppP_Str[ nL ];
@@ -181,14 +191,20 @@ void TokenPool::GrowString( void )
 
     delete[]    ppP_Str;
     ppP_Str = ppP_StrNew;
+    return true;
 }
 
 
-void TokenPool::GrowDouble( void )
+bool TokenPool::GrowDouble( void )
 {
-    sal_uInt16      nP_DblNew = nP_Dbl * 2;
+    sal_uInt16 nP_DblNew = lcl_canGrow( nP_Dbl);
+    if (!nP_DblNew)
+        return false;
+
 
-    double*     pP_DblNew = new double[ nP_DblNew ];
+	double*		pP_DblNew = new (::std::nothrow) double[ nP_DblNew ];
+    if (!pP_DblNew)
+        return false;
 
     for( sal_uInt16 nL = 0 ; nL < nP_Dbl ; nL++ )
         pP_DblNew[ nL ] = pP_Dbl[ nL ];
@@ -197,14 +213,46 @@ void TokenPool::GrowDouble( void )
 
     delete[] pP_Dbl;
     pP_Dbl = pP_DblNew;
+    return true;
+}
+
+
+/* TODO: in case we had FormulaTokenArray::AddError() */
+#if 0
+void TokenPool::GrowError( void )
+{
+    sal_uInt16 nP_ErrNew = lcl_canGrow( nP_Err);
+    if (!nP_ErrNew)
+        return false;
+
+
+    sal_uInt16*     pP_ErrNew = new (::std::nothrow) sal_uInt16[ nP_ErrNew ];
+    if (!pP_ErrNew)
+        return false;
+
+    for( sal_uInt16 nL = 0 ; nL < nP_Err ; nL++ )
+        pP_ErrNew[ nL ] = pP_Err[ nL ];
+
+    nP_Err = nP_ErrNew;
+
+    delete[] pP_Err;
+    pP_Err = pP_ErrNew;
+    return true;
 }
+#endif
 
-void TokenPool::GrowTripel( void )
+
+bool TokenPool::GrowTripel( sal_uInt16 nByMin )
 {
-    sal_uInt16          nP_RefTrNew = nP_RefTr * 2;
+    sal_uInt16 nP_RefTrNew = lcl_canGrow( nP_RefTr, nByMin);
+    if (!nP_RefTrNew)
+        return false;
+
     sal_uInt16          nL;
 
-    ScSingleRefData**   ppP_RefTrNew = new ScSingleRefData *[ nP_RefTrNew ];
+	ScSingleRefData**	ppP_RefTrNew = new (::std::nothrow) ScSingleRefData *[ nP_RefTrNew ];
+    if (!ppP_RefTrNew)
+        return false;
 
     for( nL = 0 ; nL < nP_RefTr ; nL++ )
         ppP_RefTrNew[ nL ] = ppP_RefTr[ nL ];
@@ -215,14 +263,20 @@ void TokenPool::GrowTripel( void )
 
     delete[] ppP_RefTr;
     ppP_RefTr = ppP_RefTrNew;
+    return true;
 }
 
 
-void TokenPool::GrowId( void )
+bool TokenPool::GrowId( void )
 {
-    sal_uInt16  nP_IdNew = nP_Id * 2;
+    sal_uInt16 nP_IdNew = lcl_canGrow( nP_Id);
+    if (!nP_IdNew)
+        return false;
 
-    sal_uInt16* pP_IdNew = new sal_uInt16[ nP_IdNew ];
+
+	sal_uInt16*	pP_IdNew = new (::std::nothrow) sal_uInt16[ nP_IdNew ];
+    if (!pP_IdNew)
+        return false;
 
     for( sal_uInt16 nL = 0 ; nL < nP_Id ; nL++ )
         pP_IdNew[ nL ] = pP_Id[ nL ];
@@ -231,16 +285,27 @@ void TokenPool::GrowId( void )
 
     delete[] pP_Id;
     pP_Id = pP_IdNew;
+    return true;
 }
 
 
-void TokenPool::GrowElement( void )
+bool TokenPool::GrowElement( void )
 {
-    sal_uInt16  nElementNew = nElement * 2;
+    sal_uInt16 nElementNew = lcl_canGrow( nElement);
+    if (!nElementNew)
+        return false;
+
 
-    sal_uInt16* pElementNew = new sal_uInt16[ nElementNew ];
-    E_TYPE* pTypeNew = new E_TYPE[ nElementNew ];
-    sal_uInt16* pSizeNew = new sal_uInt16[ nElementNew ];
+	sal_uInt16*	pElementNew = new (::std::nothrow) sal_uInt16[ nElementNew ];
+	E_TYPE*	pTypeNew = new (::std::nothrow) E_TYPE[ nElementNew ];
+	sal_uInt16*	pSizeNew = new (::std::nothrow) sal_uInt16[ nElementNew ];
+    if (!pElementNew || !pTypeNew || !pSizeNew)
+    {
+        delete [] pElementNew;
+        delete [] pTypeNew;
+        delete [] pSizeNew;
+        return false;
+    }
 
     for( sal_uInt16 nL = 0 ; nL < nElement ; nL++ )
     {
@@ -257,14 +322,19 @@ void TokenPool::GrowElement( void )
     pElement = pElementNew;
     pType = pTypeNew;
     pSize = pSizeNew;
+    return true;
 }
 
 
-void TokenPool::GrowExt( void )
+bool TokenPool::GrowExt( void )
 {
-    sal_uInt16      nNewSize = nP_Ext * 2;
+    sal_uInt16 nNewSize = lcl_canGrow( nP_Ext);
+    if (!nNewSize)
+        return false;
 
-    EXTCONT**   ppNew = new EXTCONT*[ nNewSize ];
+	EXTCONT**	ppNew = new (::std::nothrow) EXTCONT*[ nNewSize ];
+    if (!ppNew)
+        return false;
 
     memset( ppNew, 0, sizeof( EXTCONT* ) * nNewSize );
     memcpy( ppNew, ppP_Ext, sizeof( EXTCONT* ) * nP_Ext );
@@ -272,14 +342,19 @@ void TokenPool::GrowExt( void )
     delete[] ppP_Ext;
     ppP_Ext = ppNew;
     nP_Ext = nNewSize;
+    return true;
 }
 
 
-void TokenPool::GrowNlf( void )
+bool TokenPool::GrowNlf( void )
 {
-    sal_uInt16      nNewSize = nP_Nlf * 2;
+    sal_uInt16 nNewSize = lcl_canGrow( nP_Nlf);
+    if (!nNewSize)
+        return false;
 
-    NLFCONT**   ppNew = new NLFCONT*[ nNewSize ];
+	NLFCONT**	ppNew = new (::std::nothrow) NLFCONT*[ nNewSize ];
+    if (!ppNew)
+        return false;
 
     memset( ppNew, 0, sizeof( NLFCONT* ) * nNewSize );
     memcpy( ppNew, ppP_Nlf, sizeof( NLFCONT* ) * nP_Nlf );
@@ -287,14 +362,19 @@ void TokenPool::GrowNlf( void )
     delete[] ppP_Nlf;
     ppP_Nlf = ppNew;
     nP_Nlf = nNewSize;
+    return true;
 }
 
 
-void TokenPool::GrowMatrix( void )
+bool TokenPool::GrowMatrix( void )
 {
-    sal_uInt16      nNewSize = nP_Matrix * 2;
+    sal_uInt16 nNewSize = lcl_canGrow( nP_Matrix);
+    if (!nNewSize)
+        return false;
 
-    ScMatrix**  ppNew = new ScMatrix*[ nNewSize ];
+    ScMatrix**  ppNew = new (::std::nothrow) ScMatrix*[ nNewSize ];
+    if (!ppNew)
+        return false;
 
     memset( ppNew, 0, sizeof( ScMatrix* ) * nNewSize );
     memcpy( ppNew, ppP_Matrix, sizeof( ScMatrix* ) * nP_Matrix );
@@ -302,40 +382,75 @@ void TokenPool::GrowMatrix( void )
     delete[] ppP_Matrix;
     ppP_Matrix = ppNew;
     nP_Matrix = nNewSize;
+    return true;
 }
 
-void TokenPool::GetElement( const sal_uInt16 nId )
+bool TokenPool::GetElement( const sal_uInt16 nId )
 {
-    OSL_ENSURE( nId < nElementAkt, "*TokenPool::GetElement(): Id zu gross!?" );
+    OSL_ENSURE( nId < nElementAkt, "*TokenPool::GetElement(): Id too large!?" );
+    if (nId >= nElementAkt)
+        return false;
 
+    bool bRet = true;
     if( pType[ nId ] == T_Id )
-        GetElementRek( nId );
+        bRet = GetElementRek( nId );
     else
     {
         switch( pType[ nId ] )
         {
-#if OSL_DEBUG_LEVEL > 0
-            case T_Id:
-                OSL_FAIL( "-TokenPool::GetElement(): hier hast Du nichts zu suchen!" );
-                break;
-#endif
             case T_Str:
-                pScToken->AddString( ppP_Str[ pElement[ nId ] ]->GetBuffer() );
+                {
+                    sal_uInt16 n = pElement[ nId ];
+                    String* p = ( n < nP_Str )? ppP_Str[ n ] : NULL;
+                    if (p)
+                        pScToken->AddString( *p );
+                    else
+                        bRet = false;
+                }
                 break;
             case T_D:
-                pScToken->AddDouble( pP_Dbl[ pElement[ nId ] ] );
+                {
+                    sal_uInt16 n = pElement[ nId ];
+                    if (n < nP_Dbl)
+                        pScToken->AddDouble( pP_Dbl[ n ] );
+                    else
+                        bRet = false;
+                }
                 break;
             case T_Err:
+/* TODO: in case we had FormulaTokenArray::AddError() */
+#if 0
+                {
+                    sal_uInt16 n = pElement[ nId ];
+                    if (n < nP_Err)
+                        pScToken->AddError( pP_Err[ n ] );
+                    else
+                        bRet = false;
+                }
+#endif
                 break;
             case T_RefC:
-                pScToken->AddSingleReference( *ppP_RefTr[ pElement[ (sal_uInt16) nId ] ] );
+                {
+                    sal_uInt16 n = pElement[ nId ];
+                    ScSingleRefData* p = ( n < nP_RefTr )? ppP_RefTr[ n ] : NULL;
+                    if (p)
+                        pScToken->AddSingleReference( *p );
+                    else
+                        bRet = false;
+                }
                 break;
             case T_RefA:
                 {
-                ScComplexRefData    aScComplexRefData;
-                aScComplexRefData.Ref1 = *ppP_RefTr[ pElement[ nId ] ];
-                aScComplexRefData.Ref2 = *ppP_RefTr[ pElement[ nId ] + 1 ];
-                pScToken->AddDoubleReference( aScComplexRefData );
+                    sal_uInt16 n = pElement[ nId ];
+                    if (n < nP_RefTr && ppP_RefTr[ n ] && n+1 < nP_RefTr && ppP_RefTr[ n + 1 ])
+                    {
+                        ScComplexRefData	aScComplexRefData;
+                        aScComplexRefData.Ref1 = *ppP_RefTr[ n ];
+                        aScComplexRefData.Ref2 = *ppP_RefTr[ n + 1 ];
+                        pScToken->AddDoubleReference( aScComplexRefData );
+                    }
+                    else
+                        bRet = false;
                 }
                 break;
             case T_RN:
@@ -350,34 +465,39 @@ void TokenPool::GetElement( const sal_uInt16 nId )
             break;
             case T_Ext:
                 {
-                sal_uInt16          n = pElement[ nId ];
-                EXTCONT*        p = ( n < nP_Ext )? ppP_Ext[ n ] : NULL;
+                    sal_uInt16          n = pElement[ nId ];
+                    EXTCONT*        p = ( n < nP_Ext )? ppP_Ext[ n ] : NULL;
 
-                if( p )
-                {
-                    if( p->eId == ocEuroConvert )
-                        pScToken->AddOpCode( p->eId );
-                    else
-                        pScToken->AddExternal( p->aText, p->eId );
-                }
+                    if( p )
+                    {
+                        if( p->eId == ocEuroConvert )
+                            pScToken->AddOpCode( p->eId );
+                        else
+                            pScToken->AddExternal( p->aText, p->eId );
+                    }
+                    bRet = false;
                 }
                 break;
             case T_Nlf:
                 {
-                sal_uInt16          n = pElement[ nId ];
-                NLFCONT*        p = ( n < nP_Nlf )? ppP_Nlf[ n ] : NULL;
+                    sal_uInt16          n = pElement[ nId ];
+                    NLFCONT*        p = ( n < nP_Nlf )? ppP_Nlf[ n ] : NULL;
 
-                if( p )
-                        pScToken->AddColRowName( p->aRef );
+                    if( p )
+                            pScToken->AddColRowName( p->aRef );
+                    else
+                        bRet = false;
                 }
                 break;
             case T_Matrix:
                 {
-                sal_uInt16          n = pElement[ nId ];
-                ScMatrix*       p = ( n < nP_Matrix )? ppP_Matrix[ n ] : NULL;
+                    sal_uInt16          n = pElement[ nId ];
+                    ScMatrix*       p = ( n < nP_Matrix )? ppP_Matrix[ n ] : NULL;
 
-                if( p )
+                    if( p )
                         pScToken->AddMatrix( p );
+                    else
+                        bRet = false;
                 }
                 break;
             case T_ExtName:
@@ -388,6 +508,8 @@ void TokenPool::GetElement( const sal_uInt16 nId )
                     const ExtName& r = maExtNames[n];
                     pScToken->AddExternalName(r.mnFileId, r.maName);
                 }
+                else
+                    bRet = false;
             }
             break;
             case T_ExtRefC:
@@ -398,6 +520,8 @@ void TokenPool::GetElement( const sal_uInt16 nId )
                     const ExtCellRef& r = maExtCellRefs[n];
                     pScToken->AddExternalSingleReference(r.mnFileId, r.maTabName, r.maRef);
                 }
+                else
+                    bRet - false;
             }
             break;
             case T_ExtRefA:
@@ -408,126 +532,78 @@ void TokenPool::GetElement( const sal_uInt16 nId )
                     const ExtAreaRef& r = maExtAreaRefs[n];
                     pScToken->AddExternalDoubleReference(r.mnFileId, r.maTabName, r.maRef);
                 }
+                else
+                    bRet - false;
             }
             break;
             default:
-                OSL_FAIL("-TokenPool::GetElement(): Zustand undefiniert!?");
+                OSL_FAIL("-TokenPool::GetElement(): undefined state!?");
+                bRet = false;
         }
     }
+    return bRet;
 }
 
 
-void TokenPool::GetElementRek( const sal_uInt16 nId )
+bool TokenPool::GetElementRek( const sal_uInt16 nId )
 {
 #ifdef DBG_UTIL
     m_nRek++;
-    OSL_ENSURE(m_nRek <= nP_Id, "*TokenPool::GetElement(): recursion loop!?");
+    OSL_ENSURE(m_nRek <= nP_Id, "*TokenPool::GetElement(): recursion loops!?");
 #endif
 
-    OSL_ENSURE( nId < nElementAkt, "*TokenPool::GetElementRek(): Id zu gross!?" );
+    OSL_ENSURE( nId < nElementAkt, "*TokenPool::GetElementRek(): nId >= nElementAkt" );
 
-    OSL_ENSURE( pType[ nId ] == T_Id, "-TokenPool::GetElementRek(): nId nicht Id-Folge!" );
+    if (nId >= nElementAkt)
+    {
+        DBG_ERRORFILE( "*TokenPool::GetElementRek(): nId >= nElementAkt" );
+#ifdef DBG_UTIL
+        m_nRek--;
+#endif
+        return false;
+    }
 
+    if (pType[ nId ] != T_Id)
+    {
+        DBG_ERRORFILE( "-TokenPool::GetElementRek(): pType[ nId ] != T_Id" );
+#ifdef DBG_UTIL
+        m_nRek--;
+#endif
+        return false;
+    }
 
+
+    bool bRet = true;
     sal_uInt16      nAnz = pSize[ nId ];
-    sal_uInt16*     pAkt = &pP_Id[ pElement[ nId ] ];
+    sal_uInt16 nFirstId = pElement[ nId ];
+    if (nFirstId >= nP_Id)
+    {
+        DBG_ERRORFILE( "TokenPool::GetElementRek: nFirstId >= nP_Id");
+        nAnz = 0;
+        bRet = false;
+    }
+    sal_uInt16* pAkt = nAnz ? &pP_Id[ nFirstId ] : NULL;
+    if (nAnz > nP_Id - nFirstId)
+    {
+        DBG_ERRORFILE( "TokenPool::GetElementRek: nAnz > nP_Id - nFirstId");
+        nAnz = nP_Id - nFirstId;
+        bRet = false;
+    }
     for( ; nAnz > 0 ; nAnz--, pAkt++ )
     {
         if( *pAkt < nScTokenOff )
         {// Rekursion oder nicht?
-            switch( pType[ *pAkt ] )
+            if (*pAkt >= nElementAkt)
             {
-                case T_Id:
-                    GetElementRek( *pAkt );
-                    break;
-                case T_Str:
-                    pScToken->AddString( ppP_Str[ pElement[ *pAkt ] ]->GetBuffer() );
-                    break;
-                case T_D:
-                    pScToken->AddDouble( pP_Dbl[ pElement[ *pAkt ] ] );
-                    break;
-                case T_Err:
-                    break;
-                case T_RefC:
-                    pScToken->AddSingleReference( *ppP_RefTr[ pElement[ *pAkt ] ] );
-                    break;
-                case T_RefA:
-                    {
-                    ScComplexRefData    aScComplexRefData;
-                    aScComplexRefData.Ref1 = *ppP_RefTr[ pElement[ *pAkt ] ];
-                    aScComplexRefData.Ref2 = *ppP_RefTr[ pElement[ *pAkt ] + 1 ];
-                    pScToken->AddDoubleReference( aScComplexRefData );
-                    }
-                    break;
-                case T_RN:
-                {
-                    sal_uInt16 n = pElement[*pAkt];
-                    if (n < maRangeNames.size())
-                    {
-                        const RangeName& r = maRangeNames[n];
-                        pScToken->AddRangeName(r.mnIndex, r.mbGlobal);
-                    }
-                }
-                break;
-                case T_Ext:
-                    {
-                    sal_uInt16      n = pElement[ *pAkt ];
-                    EXTCONT*    p = ( n < nP_Ext )? ppP_Ext[ n ] : NULL;
-
-                    if( p )
-                        pScToken->AddExternal( p->aText, p->eId );
-                    }
-                    break;
-                case T_Nlf:
-                    {
-                    sal_uInt16      n = pElement[ *pAkt ];
-                    NLFCONT*    p = ( n < nP_Nlf )? ppP_Nlf[ n ] : NULL;
-
-                    if( p )
-                        pScToken->AddColRowName( p->aRef );
-                    }
-                    break;
-                case T_Matrix:
-                    {
-                    sal_uInt16          n = pElement[ *pAkt ];
-                    ScMatrix*       p = ( n < nP_Matrix )? ppP_Matrix[ n ] : NULL;
-
-                    if( p )
-                            pScToken->AddMatrix( p );
-                    }
-                    break;
-                case T_ExtName:
-                {
-                    sal_uInt16 n = pElement[*pAkt];
-                    if (n < maExtNames.size())
-                    {
-                        const ExtName& r = maExtNames[n];
-                        pScToken->AddExternalName(r.mnFileId, r.maName);
-                    }
-                }
-                break;
-                case T_ExtRefC:
-                {
-                    sal_uInt16 n = pElement[*pAkt];

... etc. - the rest is truncated


More information about the Libreoffice-commits mailing list