[Libreoffice-commits] core.git: 2 commits - sc/source vcl/source

Caolán McNamara caolanm at redhat.com
Fri Oct 9 08:26:41 PDT 2015 

 sc/source/core/tool/interpr1.cxx |   10 +++++-----
 vcl/source/fontsubset/ttcr.cxx   |    3 +--
 2 files changed, 6 insertions(+), 7 deletions(-)

New commits:
commit 5d826db15beaff4f0930724431d34f7103111591
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Oct 9 16:22:56 2015 +0100

    crashtesting: ooo95537-1.xls fails with a fAnz that is nan
    
    so it happily passes the pre-cast string bounds check and blows
    up in the post-cast string access
    
    Change-Id: Ifd4d087b37e8a84d886e2f7833dfc773b8bf1343

diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
index 5d423ce..b9cdc1c 100644
--- a/sc/source/core/tool/interpr1.cxx
+++ b/sc/source/core/tool/interpr1.cxx
@@ -7877,17 +7877,17 @@ void ScInterpreter::ScFind()
     sal_uInt8 nParamCount = GetByte();
     if ( MustHaveParamCount( nParamCount, 2, 3 ) )
     {
-        double fAnz;
+        sal_Int32 nAnz;
         if (nParamCount == 3)
-            fAnz = GetDouble();
+            nAnz = GetDouble();
         else
-            fAnz = 1.0;
+            nAnz = 1;
         OUString sStr = GetString().getString();
-        if( fAnz < 1.0 || fAnz > (double) sStr.getLength() )
+        if (nAnz < 1 || nAnz > sStr.getLength())
             PushNoValue();
         else
         {
-            sal_Int32 nPos = sStr.indexOf(GetString().getString(), static_cast<sal_Int32>(fAnz - 1));
+            sal_Int32 nPos = sStr.indexOf(GetString().getString(), nAnz - 1);
             if (nPos == -1)
                 PushNoValue();
             else
commit 587c02d2554111528a8c590dad9992bb423305a5
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Oct 9 14:34:30 2015 +0100

    malloc + memset(0,..) -> calloc
    
    Change-Id: Ic7c496259258bf36cd885ed68912b43117f348f0

diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index ba52adc..0f24e25 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -412,9 +412,8 @@ static sal_uInt8 *ttmalloc(sal_uInt32 nbytes)
     sal_uInt32 n;
 
     n = (nbytes + 3) & (sal_uInt32) ~3;
-    sal_uInt8* res = static_cast<sal_uInt8*>(malloc(n));
+    sal_uInt8* res = static_cast<sal_uInt8*>(calloc(n, 1));
     assert(res != 0);
-    memset(res, 0, n);
 
     return res;
 }

More information about the Libreoffice-commits mailing list