[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - sd/source

[Armin Le Grand]

 sd/source/ui/dlg/animobjs.cxx |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

New commits:
commit 6b3b080f8cedc1b496022b18e477af0c7361fba3
Author: Armin Le Grand <Armin.Le.Grand at me.com>
Date:   Tue Nov 3 12:25:13 2015 +0100

    tdf#95298: corrected some out-of-bound accesses to array
    
    the index variable m_FrameList used to reference the current frame uses
    the state EMTY_FRAMELIST to mark as invalid, which is the max integer
    number. Thus all usages have to be secured to not use m_FrameList
    if set to EMPTY_FRAMELIST. This was missing in some places.
    the max integer
    number. Thus all usages have to be secured to not use m_FrameList
    if set to EMPTY_FRAMELIST. This was missing in some places.
    
    Reviewed-on: https://gerrit.libreoffice.org/19753
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Katarina Behrens <Katarina.Behrens at cib.de>
    
    Cherry-picked from f0cef70cd4164342b218fbee34bf57eedc22c998
    
    Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8
    Reviewed-on: https://gerrit.libreoffice.org/19787
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sd/source/ui/dlg/animobjs.cxx b/sd/source/ui/dlg/animobjs.cxx
index 0b033f9..5c66014 100644
--- a/sd/source/ui/dlg/animobjs.cxx
+++ b/sd/source/ui/dlg/animobjs.cxx
@@ -430,7 +430,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *, pBtn )
     SdPage*     pPage = pMyDoc->GetSdPage(0, PK_STANDARD);
     SdrObject*  pObject;
 
-    if (pBtn == m_pBtnRemoveBitmap)
+    // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+    if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST  != m_nCurrentFrame)
     {
         delete m_FrameList[m_nCurrentFrame].first;
         delete m_FrameList[m_nCurrentFrame].second;
@@ -449,8 +450,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *, pBtn )
 
         if (m_nCurrentFrame >= m_FrameList.size())
         {
-            assert(m_FrameList.empty());
-            m_nCurrentFrame = EMPTY_FRAMELIST;
+            // tdf#95298 last frame was deleted, try to use the one before it or go on empty state
+            m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST : m_FrameList.size() - 1;
         }
     }
     else // delete everything
@@ -539,7 +540,8 @@ IMPL_LINK_NOARG(AnimationWindow, ModifyTimeHdl)
 
 void AnimationWindow::UpdateControl(bool const bDisableCtrls)
 {
-    if (!m_FrameList.empty())
+    // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+    if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame)
     {
         BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first);