[Libreoffice-commits] core.git: vcl/win
Takeshi Abe
tabe at fixedpoint.jp
Mon Nov 16 06:42:03 PST 2015
vcl/win/source/gdi/winlayout.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit f630b6d5f165c8c507b8904b99594936edfd8da0
Author: Takeshi Abe <tabe at fixedpoint.jp>
Date: Thu Oct 15 18:16:53 2015 +0900
tdf#94008 Crash opening password protected file - CJK UI
This fixes a buffer overflow writing over the end of pCaretXArray,
which can happen e.g. when drawing mnemonics in the password dialog.
Based on a similar calculation of nCurrIdx found in
GenericSalLayout::GetCaretPositions().
Change-Id: I7d723cf8cfaeb66f340c7d9ea5b3bc728c6d6209
Reviewed-on: https://gerrit.libreoffice.org/19385
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: jan iversen <jani at documentfoundation.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/vcl/win/source/gdi/winlayout.cxx b/vcl/win/source/gdi/winlayout.cxx
index 0dfce84..2409d4b 100644
--- a/vcl/win/source/gdi/winlayout.cxx
+++ b/vcl/win/source/gdi/winlayout.cxx
@@ -1986,7 +1986,7 @@ void UniscribeLayout::GetCaretPositions( int nMaxIdx, long* pCaretXArray ) const
for(; (i < rVisualItem.mnEndCharPos) && (i < mnEndCharPos); ++i )
{
int j = mpLogClusters[ i ] + rVisualItem.mnMinGlyphPos;
- int nCurrIdx = i * 2;
+ int nCurrIdx = (i - mnMinCharPos) * 2;
if( !rVisualItem.IsRTL() )
{
// normal positions for LTR case
More information about the Libreoffice-commits
mailing list