[Libreoffice-commits] core.git: sd/source

Armin Le Grand Armin.Le.Grand at me.com
Wed Nov 4 03:29:48 PST 2015 

 sd/source/ui/dlg/animobjs.cxx |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

New commits:
commit f0cef70cd4164342b218fbee34bf57eedc22c998
Author: Armin Le Grand <Armin.Le.Grand at me.com>
Date:   Tue Nov 3 12:25:13 2015 +0100

    tdf#95298: corrected some out-of-bound accesses to array
    
    the index variable m_FrameList used to reference the current frame uses
    the state EMTY_FRAMELIST to mark as invalid, which is the max integer
    number. Thus all usages have to be secured to not use m_FrameList
    if set to EMPTY_FRAMELIST. This was missing in some places.
    the max integer
    number. Thus all usages have to be secured to not use m_FrameList
    if set to EMPTY_FRAMELIST. This was missing in some places.
    
    Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8
    Reviewed-on: https://gerrit.libreoffice.org/19753
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Katarina Behrens <Katarina.Behrens at cib.de>

diff --git a/sd/source/ui/dlg/animobjs.cxx b/sd/source/ui/dlg/animobjs.cxx
index c2d83e4..2c2f4ee 100644
--- a/sd/source/ui/dlg/animobjs.cxx
+++ b/sd/source/ui/dlg/animobjs.cxx
@@ -420,7 +420,8 @@ IMPL_LINK_TYPED( AnimationWindow, ClickRemoveBitmapHdl, Button*, pBtn, void )
     SdPage*     pPage = pMyDoc->GetSdPage(0, PK_STANDARD);
     SdrObject*  pObject;
 
-    if (pBtn == m_pBtnRemoveBitmap)
+    // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+    if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST  != m_nCurrentFrame)
     {
         delete m_FrameList[m_nCurrentFrame].first;
         delete m_FrameList[m_nCurrentFrame].second;
@@ -439,8 +440,8 @@ IMPL_LINK_TYPED( AnimationWindow, ClickRemoveBitmapHdl, Button*, pBtn, void )
 
         if (m_nCurrentFrame >= m_FrameList.size())
         {
-            assert(m_FrameList.empty());
-            m_nCurrentFrame = EMPTY_FRAMELIST;
+            // tdf#95298 last frame was deleted, try to use the one before it or go on empty state
+            m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST : m_FrameList.size() - 1;
         }
     }
     else // delete everything
@@ -522,7 +523,8 @@ IMPL_LINK_NOARG_TYPED(AnimationWindow, ModifyTimeHdl, Edit&, void)
 
 void AnimationWindow::UpdateControl(bool const bDisableCtrls)
 {
-    if (!m_FrameList.empty())
+    // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+    if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame)
     {
         BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first);

More information about the Libreoffice-commits mailing list