[Libreoffice-commits] core.git: Branch 'libreoffice-5-3' - sc/source

Tue Aug 22 17:49:51 UTC 2017

sc/source/core/tool/scmatrix.cxx |   17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

New commits:
commit 8d8044d25a6d112854655ef0ad51f1a904350f0f
Author: Eike Rathke <erack at redhat.com>
Date:   Mon Aug 21 15:49:41 2017 +0200

    Resolves: tdf#111943 really really limit the match, tdf#108292 follow-up
    
    getRemainingCount() could deliver a wrapped around overflow value if mnIndex
    was already greater than the end index, which could happen if when/for
    non-matching larger block sizes were added, and if then a match was found
    behind those blocks a non-requested/unexpected index was returned, which in
    turn led to the assert() being hit in ScInterpreter::CalculateLookup(). In
    non-debug could result in an invalid block position access.
    
    This happened with the bug case document of tdf#111943 which in master can be
    loaded.
    
    Also, the start and end index are not dynamic and don't have to be recalculated
    each time, so make them const; column argument values are unused after.
    
    (cherry picked from commit 25b3806ac509006573e669acc33643af3bd77380)
    
    Change-Id: Ic294cade4e8e7828bee394e5ade61d7127be6bbb
    Reviewed-on: https://gerrit.libreoffice.org/41397
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>

diff --git a/sc/source/core/tool/scmatrix.cxx b/sc/source/core/tool/scmatrix.cxx
index 1807a11c53cc..30fb6eb0b36f 100644
--- a/sc/source/core/tool/scmatrix.cxx
+++ b/sc/source/core/tool/scmatrix.cxx
@@ -1264,24 +1264,25 @@ template<typename Type>
 class WalkAndMatchElements : public std::unary_function<MatrixImplType::element_block_node_type, void>
 {
     Type maMatchValue;
-    MatrixImplType::size_pair_type maSize;
-    size_t mnCol1;
-    size_t mnCol2;
+    const size_t mnStartIndex;
+    const size_t mnStopIndex;
     size_t mnResult;
     size_t mnIndex;
 
 public:
     WalkAndMatchElements(Type aMatchValue, const MatrixImplType::size_pair_type& aSize, size_t nCol1, size_t nCol2) :
         maMatchValue(aMatchValue),
-        maSize(aSize),
-        mnCol1(nCol1),
-        mnCol2(nCol2),
+        mnStartIndex( nCol1 * aSize.row ),
+        mnStopIndex( (nCol2 + 1) * aSize.row ),
         mnResult(ResultNotSet),
         mnIndex(0) {}
 
     size_t getMatching() const { return mnResult; }
 
-    size_t getRemainingCount() const { return ((mnCol2 + 1) * maSize.row) - mnIndex; }
+    size_t getRemainingCount() const
+    {
+        return mnIndex < mnStopIndex ? mnStopIndex - mnIndex : 0;
+    }
 
     size_t compare(const MatrixImplType::element_block_node_type& node) const;
 
@@ -1292,7 +1293,7 @@ public:
             return;
 
         // limit lookup to the requested columns
-        if ((mnCol1 * maSize.row) <= mnIndex && getRemainingCount() > 0)
+        if (mnStartIndex <= mnIndex && getRemainingCount() > 0)
         {
             mnResult = compare(node);
         }
