[Libreoffice-commits] core.git: sw/source

[Caolán McNamara]

 sw/source/filter/ww8/ww8scan.cxx |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

New commits:
commit 0b70e6b93b8cb2169fa372b555ae0c6b43a4ce43
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Nov 1 11:23:35 2017 +0000

    ofz#3945 Integer-overflow
    
    Change-Id: I3cc8e91078289860d27ee77be3c24eabeb136909
    Reviewed-on: https://gerrit.libreoffice.org/44163
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index e07b12129518..3134c3bc2ed1 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3382,8 +3382,23 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
 
                 if (nOldEndPos <= nLimitFC)
                 {
-                    p->nEndPos = nCpEnd -
-                        (nLimitFC-nOldEndPos) / (bIsUnicode ? 2 : 1);
+                    bFail = o3tl::checked_sub(nLimitFC, nOldEndPos, nCpLen);
+                    if (bFail)
+                    {
+                        SAL_WARN("sw.ww8", "broken offset, ignoring");
+                        pPieceIter->SetIdx(nOldPos);
+                        return;
+                    }
+
+                    nCpLen /= (bIsUnicode ? 2 : 1);
+
+                    bFail = o3tl::checked_sub(nCpEnd, nCpLen, p->nEndPos);
+                    if (bFail)
+                    {
+                        SAL_WARN("sw.ww8", "broken offset, ignoring");
+                        pPieceIter->SetIdx(nOldPos);
+                        return;
+                    }
                 }
                 else
                 {