[Libreoffice-commits] core.git: Branch 'libreoffice-4-3' - sw/qa vcl/generic

[Umesh Kadam]

 sw/qa/core/data/ooxml/pass/fdo78906.docx |binary
 vcl/generic/glyphs/scrptrun.cxx          |    9 ++++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

New commits:
commit fbb9bdef45d3a013b5027acc1ceb7faa77f531a4
Author: Umesh Kadam <umesh.kadam at synerzip.com>
Date:   Thu May 29 12:59:13 2014 +0530

    fdo#78906 (+dup fdo#82484): File crashes while opening.
    
    Handled a memory corruption.
    
    Cherry-picked from 14ce4b337232f8fb21cc67e7a2844a7de81dfc4c
    
    Change-Id: I195d17bcd0a9a86bcc96cc7ad14f1d5f2908cf8c
    Reviewed-on: https://gerrit.libreoffice.org/9545
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    Reviewed-on: https://gerrit.libreoffice.org/10897
    Reviewed-by: David Tardon <dtardon at redhat.com>
    Tested-by: David Tardon <dtardon at redhat.com>

diff --git a/sw/qa/core/data/ooxml/pass/fdo78906.docx b/sw/qa/core/data/ooxml/pass/fdo78906.docx
new file mode 100644
index 0000000..1a6c6ea
Binary files /dev/null and b/sw/qa/core/data/ooxml/pass/fdo78906.docx differ
diff --git a/vcl/generic/glyphs/scrptrun.cxx b/vcl/generic/glyphs/scrptrun.cxx
index 9e8eef0..f72d296 100644
--- a/vcl/generic/glyphs/scrptrun.cxx
+++ b/vcl/generic/glyphs/scrptrun.cxx
@@ -207,7 +207,14 @@ UBool ScriptRun::next()
             // pop it from the stack
             if (pairIndex >= 0 && (pairIndex & 1) != 0 && parenSP >= 0) {
                 parenSP -= 1;
-                startSP -= 1;
+                /* decrement startSP only if it is >= 0,
+                   decrementing it unnecessarily will lead to memory corruption
+                   while processing the above while block.
+                   e.g. startSP = -4 , parenSP = -1
+                */
+                if (startSP >= 0) {
+                    startSP -= 1;
+                }
             }
         } else {
             // if the run broke on a surrogate pair,