[Libreoffice-commits] core.git: 6 commits - lotuswordpro/source sc/source
Caolán McNamara
caolanm at redhat.com
Tue Oct 14 09:09:51 PDT 2014
lotuswordpro/source/filter/lwpdrawobj.cxx | 33 +++++++++++++++++++------
lotuswordpro/source/filter/lwptools.hxx | 6 ++++
sc/source/ui/condformat/colorformat.cxx | 4 +--
sc/source/ui/condformat/condformatdlgentry.cxx | 2 -
sc/source/ui/miscdlgs/datafdlg.cxx | 5 +--
5 files changed, 37 insertions(+), 13 deletions(-)
New commits:
commit ac68cab1f1e6991bc95fe482f4d9be1538b827c4
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 14 15:21:27 2014 +0100
coverity#1242739 Untrusted loop bound
and
coverity#1242739 Untrusted loop bound
Change-Id: I2cab9b3c531befc42c1522dd0d4beb59df7ae315
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 4ae6279..2ca16ad 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1209,10 +1209,14 @@ void LwpDrawTextArt::Read()
sal_uInt16 nPointNumber;
sal_Int16 nX, nY;
m_pStream->ReadUInt16( nPointNumber );
+
+ size_t nPoints = nPointNumber*3+1;
+ if (nPoints > m_pStream->remainingSize() / 4)
+ throw BadRead();
+
m_aTextArtRec.aPath[0].n = nPointNumber;
- m_aTextArtRec.aPath[0].pPts = new SdwPoint [nPointNumber*3+1];
- sal_uInt16 nPt = 0;
- for ( nPt = 0; nPt <= nPointNumber*3; nPt++)
+ m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints];
+ for (size_t nPt = 0; nPt < nPoints; ++nPt)
{
m_pStream->ReadInt16( nX );
m_pStream->ReadInt16( nY );
@@ -1221,9 +1225,14 @@ void LwpDrawTextArt::Read()
}
m_pStream->ReadUInt16( nPointNumber );
+
+ nPoints = nPointNumber*3+1;
+ if (nPoints > m_pStream->remainingSize() / 4)
+ throw BadRead();
+
m_aTextArtRec.aPath[1].n = nPointNumber;
- m_aTextArtRec.aPath[1].pPts = new SdwPoint [nPointNumber*3+1];
- for (nPt = 0; nPt <= nPointNumber*3; nPt++)
+ m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints];
+ for (size_t nPt = 0; nPt < nPoints; ++nPt)
{
m_pStream->ReadInt16( nX );
m_pStream->ReadInt16( nY );
@@ -1251,6 +1260,10 @@ void LwpDrawTextArt::Read()
- (m_aTextArtRec.aPath[0].n*3 + 1)*4
- (m_aTextArtRec.aPath[1].n*3 + 1)*4;
+
+ if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
+ throw BadRead();
+
m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];
m_pStream->Read(m_aTextArtRec.pTextString, m_aTextArtRec.nTextLen);
m_aTextArtRec.pTextString[m_aTextArtRec.nTextLen-1] = 0;
commit da859a7949238e74e5287f1bacc61886b4294858
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 14 15:13:01 2014 +0100
coverity#1242791 Untrusted loop bound
Change-Id: Iba6d6b77fe30e11f50e16c1ee899b71ea4337355
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index f357f9d..4ae6279 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -591,7 +591,10 @@ void LwpDrawPolygon::Read()
this->ReadClosedObjStyle();
m_pStream->ReadUInt16( m_nNumPoints );
- m_pVector = new SdwPoint [m_nNumPoints];
+ if (m_nNumPoints > m_pStream->remainingSize() / 4)
+ throw BadRead();
+
+ m_pVector = new SdwPoint[m_nNumPoints];
for (sal_uInt16 nC = 0; nC < m_nNumPoints; nC++)
{
commit e4ebd97a9b5dc3a25a142109d2a0dbe41925e431
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 14 15:12:05 2014 +0100
coverity#1242918 Untrusted loop bound
Change-Id: I8575a43a095165a81417f169463aaf2c4ab337e8
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 4be146f..f357f9d 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -505,7 +505,10 @@ void LwpDrawPolyLine::Read()
m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused );
m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints );
- m_pVector= new SdwPoint [m_aPolyLineRec.nNumPoints];
+ if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4)
+ throw BadRead();
+
+ m_pVector= new SdwPoint[m_aPolyLineRec.nNumPoints];
for (sal_uInt16 nC = 0; nC < m_aPolyLineRec.nNumPoints; nC++)
{
diff --git a/lotuswordpro/source/filter/lwptools.hxx b/lotuswordpro/source/filter/lwptools.hxx
index 51680bd..f240214 100644
--- a/lotuswordpro/source/filter/lwptools.hxx
+++ b/lotuswordpro/source/filter/lwptools.hxx
@@ -148,6 +148,12 @@ public:
BadSeek() : std::runtime_error("Lotus Word Pro Bad Seek") { }
};
+class BadRead: public std::runtime_error
+{
+public:
+ BadRead() : std::runtime_error("Lotus Word Pro Bad Read") { }
+};
+
class BadDecompress : public std::runtime_error
{
public:
commit 902a3df2daa196e2182b0741f0ec3849d158f42b
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 14 13:46:46 2014 +0100
coverity#735315 Unchecked return value
Change-Id: If2e8d3cfe49a039cc27035ae9c0f037c2d60b122
diff --git a/sc/source/ui/condformat/colorformat.cxx b/sc/source/ui/condformat/colorformat.cxx
index 4590ea3..28815b1 100644
--- a/sc/source/ui/condformat/colorformat.cxx
+++ b/sc/source/ui/condformat/colorformat.cxx
@@ -208,10 +208,10 @@ IMPL_LINK_NOARG( ScDataBarSettingsDlg, OkBtnHdl )
OUString aMaxString = mpEdMax->GetText();
double nMinValue = 0;
sal_uInt32 nIndex = 0;
- mpNumberFormatter->IsNumberFormat(aMinString, nIndex, nMinValue);
+ (void)mpNumberFormatter->IsNumberFormat(aMinString, nIndex, nMinValue);
nIndex = 0;
double nMaxValue = 0;
- mpNumberFormatter->IsNumberFormat(aMaxString, nIndex, nMaxValue);
+ (void)mpNumberFormatter->IsNumberFormat(aMaxString, nIndex, nMaxValue);
if(rtl::math::approxEqual(nMinValue, nMaxValue) || nMinValue > nMaxValue)
bWarn = true;
}
commit 713524780312315e63f53deac96eaeef8c4e0e13
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 14 13:45:50 2014 +0100
coverity#982180 Unchecked return value
Change-Id: Ida858f633f1e9afcc1a5a06f503f0ab06d2d3e74
diff --git a/sc/source/ui/condformat/condformatdlgentry.cxx b/sc/source/ui/condformat/condformatdlgentry.cxx
index 52ec400..b45f23c 100644
--- a/sc/source/ui/condformat/condformatdlgentry.cxx
+++ b/sc/source/ui/condformat/condformatdlgentry.cxx
@@ -1388,7 +1388,7 @@ ScColorScaleEntry* ScIconSetFrmtDataEntry::CreateEntry(ScDocument* pDoc, const S
sal_uInt32 nIndex = 0;
double nVal = 0;
SvNumberFormatter* pNumberFormatter = pDoc->GetFormatTable();
- pNumberFormatter->IsNumberFormat(aText, nIndex, nVal);
+ (void)pNumberFormatter->IsNumberFormat(aText, nIndex, nVal);
pEntry->SetValue(nVal);
switch(nPos)
commit 89b256f431c09097dd7bf3d163430ec54a7d9260
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 14 13:43:43 2014 +0100
coverity#1242430 Dereference after null check
Change-Id: If1c59d6d06a9e4601731f13a69b1ac2603c0014b
diff --git a/sc/source/ui/miscdlgs/datafdlg.cxx b/sc/source/ui/miscdlgs/datafdlg.cxx
index 8a5f232..0d3f58d 100644
--- a/sc/source/ui/miscdlgs/datafdlg.cxx
+++ b/sc/source/ui/miscdlgs/datafdlg.cxx
@@ -209,14 +209,13 @@ ScDataFormDlg::~ScDataFormDlg()
void ScDataFormDlg::FillCtrls(SCROW /*nCurrentRow*/)
{
- OUString aFieldName;
for (sal_uInt16 i = 0; i < aColLength; ++i)
{
if (!maEdits.is_null(i))
{
- if (nCurrentRow<=nEndRow)
+ if (nCurrentRow<=nEndRow && pDoc)
{
- aFieldName = pDoc->GetString(i + nStartCol, nCurrentRow, nTab);
+ OUString aFieldName(pDoc->GetString(i + nStartCol, nCurrentRow, nTab));
maEdits[i].SetText(aFieldName);
}
else
More information about the Libreoffice-commits
mailing list