[Libreoffice-commits] core.git: Branch 'libreoffice-5-3' - svl/source
Eike Rathke
erack at redhat.com
Tue Mar 14 13:24:19 UTC 2017
svl/source/numbers/zformat.cxx | 10 ++++++++--
svl/source/numbers/zforscan.cxx | 23 +++++++++++++----------
2 files changed, 21 insertions(+), 12 deletions(-)
New commits:
commit 0f7a1bce18b08045fd98d5de99bb9ed69a7d474d
Author: Eike Rathke <erack at redhat.com>
Date: Fri Mar 10 13:38:28 2017 +0100
string access out of bounds
This is a combination of 3 commits.
string access out of bounds
Change-Id: I4f6e6e8e77cdabe593bca5719b6ef38aeecc5da7
(cherry picked from commit 77a8cf7eaf638276030d1c5be8705f5603f071a9)
prevent string access out of bounds
Though only the closing 0-character and the following check excludes that,
dbgutil asserts.
Change-Id: Ife1299042a60f6f058c4cf58b406d1cc022786a7
(cherry picked from commit c407fff205a270e02fe07885805b7250e71c28f8)
guard against a (theoretical?) endless loop of blanks only
Change-Id: I68d6cca1b359aa8fba42663bddb1107c31102415
(cherry picked from commit fe73eff36718b6d99d0cf92d750c457872cc4dcc)
Reviewed-on: https://gerrit.libreoffice.org/35043
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 09e024e..be19e33 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -2817,9 +2817,15 @@ bool SvNumberformat::ImpGetFractionOutput(double fNumber,
bRes |= ImpNumberFill(sDiv, fNumber, k, j, nIx, NF_SYMBOLTYPE_FRAC);
if ( !bHideFraction && sDenominatorFormat.getLength() > 0 )
{
- while ( sDiv[0] == ' ' ) // left align denominator
+ // Guard against a (theoretical?) endless loop of blanks only.
+ sal_Int32 n = sDiv.getLength();
+ sal_Int32 nDenominatorLen = sDenominatorFormat.getLength();
+ while ( n-- > 0 && sDiv[0] == ' ' ) // left align denominator
{
- sDiv.insert( sDenominatorFormat.getLength(), " " );
+ if (sDiv.getLength() <= nDenominatorLen)
+ sDiv.append(" ");
+ else
+ sDiv.insert( nDenominatorLen, " " );
sDiv.remove( 0, 1 );
}
}
diff --git a/svl/source/numbers/zforscan.cxx b/svl/source/numbers/zforscan.cxx
index 34137cb..1cceda7 100644
--- a/svl/source/numbers/zforscan.cxx
+++ b/svl/source/numbers/zforscan.cxx
@@ -814,18 +814,21 @@ short ImpSvNumberformatScan::Next_Symbol( const OUString& rStr,
switch (cToken)
{
case '/': // AM/PM, A/P
- cNext = rStr[nPos];
- if ( cNext == 'P' || cNext == 'p' )
+ if (nPos < rStr.getLength())
{
- sal_Int32 nLen = sSymbol.getLength();
- if ( 1 <= nLen &&
- (sSymbol[0] == 'A' || sSymbol[0] == 'a') &&
- (nLen == 1 ||
- (nLen == 2 && (sSymbol[1] == 'M' || sSymbol[1] == 'm')
- && (rStr[nPos + 1] == 'M' || rStr[nPos + 1] == 'm'))))
+ cNext = rStr[nPos];
+ if ( cNext == 'P' || cNext == 'p' )
{
- sSymbol += OUStringLiteral1(cToken);
- bDontStop = true;
+ sal_Int32 nLen = sSymbol.getLength();
+ if ( 1 <= nLen &&
+ (sSymbol[0] == 'A' || sSymbol[0] == 'a') &&
+ (nLen == 1 ||
+ (nLen == 2 && (sSymbol[1] == 'M' || sSymbol[1] == 'm')
+ && (rStr[nPos + 1] == 'M' || rStr[nPos + 1] == 'm'))))
+ {
+ sSymbol += OUStringLiteral1(cToken);
+ bDontStop = true;
+ }
}
}
break;
More information about the Libreoffice-commits
mailing list