[Libreoffice-commits] core.git: filter/source
Armin Le Grand
alg at apache.org
Fri Apr 11 09:27:18 PDT 2014
filter/source/msfilter/escherex.cxx | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
New commits:
commit af2a70abc089e3280f458c9f0942c6b7971cee81
Author: Armin Le Grand <alg at apache.org>
Date: Fri Apr 11 15:29:35 2014 +0000
Resolves: #i124661# secure possible out of bound access to vector
(cherry picked from commit c9cdd9751d45b5b8b0288e9dc477e6d272ba0a0d)
Change-Id: I1c0637029fd7b4ab493956538c6e9fdf33307cbe
diff --git a/filter/source/msfilter/escherex.cxx b/filter/source/msfilter/escherex.cxx
index 92c4b59..7e495db 100644
--- a/filter/source/msfilter/escherex.cxx
+++ b/filter/source/msfilter/escherex.cxx
@@ -2628,7 +2628,18 @@ void ConvertEnhancedCustomShapeEquation( SdrObjCustomShape* pCustoShape,
if ( aIter->nOperation & nMask )
{
aIter->nOperation ^= nMask;
- aIter->nPara[ i ] = rEquationOrder[ aIter->nPara[ i ] & 0x3ff ] | 0x400;
+ const size_t nIndex(aIter->nPara[ i ] & 0x3ff);
+
+ // #i124661# check index access, there are cases where this is out of bound leading
+ // to errors up to crashes when executed
+ if(nIndex < rEquationOrder.size())
+ {
+ aIter->nPara[ i ] = rEquationOrder[ nIndex ] | 0x400;
+ }
+ else
+ {
+ OSL_ENSURE(false, "Attempted out of bound access to rEquationOrder of CustomShape (!)");
+ }
}
nMask <<= 1;
}
More information about the Libreoffice-commits
mailing list