[Libreoffice-commits] core.git: Branch 'libreoffice-5-1' - svl/source xmloff/source

Tue May 31 05:51:30 UTC 2016

svl/source/numbers/zformat.cxx   |   22 ++++++++++++----------
 xmloff/source/style/xmlnumfe.cxx |    5 +++--
 2 files changed, 15 insertions(+), 12 deletions(-)

New commits:
commit 7e8e2ef608c7fe2a1c6d6fa244534b85dc42362b
Author: Eike Rathke <erack at redhat.com>
Date:   Tue May 31 00:02:38 2016 +0200

    prevent out of bounds string access
    
    Yet another reminiscence of String to OUString conversion..
    where the terminating NULL-character was obtained and
    SvNumberformat::InsertBlanks() effectively did nothing.
    
    Could be triggered already by entering an '_' underscore character as
    number format code, which is a place holder for blanks of the same width
    as the following character, which there isn't then yet.
    
    Change-Id: I0534e1417d4bd35e9e7ed4bd0170b9ea3b5fb575
    (cherry picked from commit c75ce37560c05271ba56c9dd0d98c5001e83cc2f)
    Reviewed-on: https://gerrit.libreoffice.org/25693
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>

diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 29402f8..90175f9 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -1941,8 +1941,8 @@ bool SvNumberformat::GetOutputString(const OUString& sString,
                 }
                 break;
             case NF_SYMBOLTYPE_BLANK:
-                InsertBlanks( sOutBuff, sOutBuff.getLength(),
-                              rInfo.sStrArray[i][1] );
+                if (rInfo.sStrArray[i].getLength() >= 2)
+                    InsertBlanks( sOutBuff, sOutBuff.getLength(), rInfo.sStrArray[i][1] );
                 break;
             case NF_KEY_GENERAL :   // #77026# "General" is the same as "@"
             case NF_SYMBOLTYPE_DEL :
@@ -2272,8 +2272,8 @@ bool SvNumberformat::GetOutputString(double fNumber,
                     }
                     break;
                 case NF_SYMBOLTYPE_BLANK:
-                    InsertBlanks(sBuff, sBuff.getLength(),
-                                 rInfo.sStrArray[i][1] );
+                    if (rInfo.sStrArray[i].getLength() >= 2)
+                        InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
                     break;
                 case NF_SYMBOLTYPE_STRING:
                 case NF_SYMBOLTYPE_CURRENCY:
@@ -2904,8 +2904,8 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber,
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            InsertBlanks(sBuff, sBuff.getLength(),
-                         rInfo.sStrArray[i][1] );
+            if (rInfo.sStrArray[i].getLength() >= 2)
+                InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
             break;
         case NF_SYMBOLTYPE_STRING:
         case NF_SYMBOLTYPE_CURRENCY:
@@ -3397,7 +3397,8 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber,
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
+            if (rInfo.sStrArray[i].getLength() >= 2)
+                InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
             break;
         case NF_SYMBOLTYPE_STRING:
         case NF_SYMBOLTYPE_CURRENCY:
@@ -3690,8 +3691,8 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber,
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            InsertBlanks( sBuff, sBuff.getLength(),
-                          rInfo.sStrArray[i][1] );
+            if (rInfo.sStrArray[i].getLength() >= 2)
+                InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
             break;
         case NF_SYMBOLTYPE_STRING:
         case NF_SYMBOLTYPE_CURRENCY:
@@ -4337,7 +4338,8 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer& sBuff, // number string
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] );
+            if (rInfo.sStrArray[j].getLength() >= 2)
+                k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] );
             break;
         case NF_SYMBOLTYPE_THSEP:
             // Same as in ImpNumberFillWithThousands() above, do not insert
diff --git a/xmloff/source/style/xmlnumfe.cxx b/xmloff/source/style/xmlnumfe.cxx
index 068ca83..5bbbdd3 100644
--- a/xmloff/source/style/xmlnumfe.cxx
+++ b/xmloff/source/style/xmlnumfe.cxx
@@ -1295,7 +1295,7 @@ void SvXMLNumFmtExport::ExportPart_Impl( const SvNumberformat& rFormat, sal_uInt
                             {
                                 aEmbeddedStr = *pElemStr;
                             }
-                            else
+                            else if (pElemStr->getLength() >= 2)
                             {
                                 SvNumberformat::InsertBlanks( aEmbeddedStr, 0, (*pElemStr)[1] );
                             }
@@ -1367,7 +1367,8 @@ void SvXMLNumFmtExport::ExportPart_Impl( const SvNumberformat& rFormat, sal_uInt
                         //  (#i20396# the spaces may also be in embedded-text elements)
 
                         OUString aBlanks;
-                        SvNumberformat::InsertBlanks( aBlanks, 0, (*pElemStr)[1] );
+                        if (pElemStr->getLength() >= 2)
+                            SvNumberformat::InsertBlanks( aBlanks, 0, (*pElemStr)[1] );
                         AddToTextElement_Impl( aBlanks );
                     }
                     break;
