[Libreoffice-commits] core.git: i18npool/source

Michael Stahl mstahl at redhat.com
Fri May 22 12:06:42 PDT 2015 

 i18npool/source/breakiterator/breakiterator_th.cxx |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

New commits:
commit 9db629b8a1fa9b63bc320f8d47594ec82511a9c5
Author: Michael Stahl <mstahl at redhat.com>
Date:   Fri May 22 20:53:05 2015 +0200

    tdf#90809: i18npool: fix crash in Thai break iterator
    
    endPos = nStartPos + 1 may be past the end index
    
    invalid write of size 4
     at 0x1CBBA959: com::sun::star::i18n::BreakIterator_th::makeIndex(rtl::OUString const&, int) (breakiterator_th.cxx:139)
     by 0x1CBB4AA2: com::sun::star::i18n::BreakIterator_CTL::previousCharacters(rtl::OUString const&, int, com::sun::star::lang::Locale const&, short, int, int&) (breakiterator_ctl.cxx:61)
     by 0x1CBB544F: com::sun::star::i18n::BreakIteratorImpl::previousCharacters(rtl::OUString const&, int, com::sun::star::lang::Locale const&, short, int, int&) (breakiteratorImpl.cxx:64)
     by 0xA29D29A: ServerFontLayout::setNeedFallback(ImplLayoutArgs&, int, bool) (gcach_layout.cxx:99)
    
    Change-Id: I201f24cb6773b5aa1a81dea90ea906d3d4355053

diff --git a/i18npool/source/breakiterator/breakiterator_th.cxx b/i18npool/source/breakiterator/breakiterator_th.cxx
index 17a51ea..08a9400 100644
--- a/i18npool/source/breakiterator/breakiterator_th.cxx
+++ b/i18npool/source/breakiterator/breakiterator_th.cxx
@@ -103,7 +103,7 @@ static sal_Int32 SAL_CALL getACell(const sal_Unicode *text, sal_Int32 pos, sal_I
 
 #define is_Thai(c)  (0x0e00 <= c && c <= 0x0e7f) // Unicode definition for Thai
 
-void SAL_CALL BreakIterator_th::makeIndex(const OUString& Text, sal_Int32 nStartPos)
+void SAL_CALL BreakIterator_th::makeIndex(const OUString& Text, sal_Int32 const nStartPos)
     throw(RuntimeException)
 {
     if (Text != cachedText) {
@@ -123,18 +123,20 @@ void SAL_CALL BreakIterator_th::makeIndex(const OUString& Text, sal_Int32 nStart
         return;
 
     const sal_Unicode* str = cachedText.getStr();
-    sal_Int32 len = cachedText.getLength(), startPos, endPos;
+    sal_Int32 const len = cachedText.getLength();
 
-    startPos = nStartPos;
+    sal_Int32 startPos = nStartPos;
     while (startPos > 0 && is_Thai(str[startPos-1])) startPos--;
-    endPos = nStartPos+1;
+    sal_Int32 endPos = std::min(len, nStartPos+1);
     while (endPos < len && is_Thai(str[endPos])) endPos++;
 
     sal_Int32 start, end, pos;
     pos = start = end = startPos;
 
+    assert(endPos <= cellIndexSize);
     while (pos < endPos) {
         end += getACell(str, start, endPos);
+        assert(end <= cellIndexSize);
         while (pos < end) {
             nextCellIndex[pos] = end;
             previousCellIndex[pos] = start;

More information about the Libreoffice-commits mailing list