[Libreoffice-commits] core.git: sw/source
Caolán McNamara
caolanm at redhat.com
Mon Nov 20 14:13:19 UTC 2017
sw/source/filter/ww8/ww8scan.cxx | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
New commits:
commit ce204e444379d0fab21a8cf759df659ebafb5638
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Nov 20 09:29:28 2017 +0000
ofz#4327 Integer-overflow
Change-Id: I1a656c106b5944578c6c74b9e475349259865049
Reviewed-on: https://gerrit.libreoffice.org/44948
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index a561a702f324..4d3a5d50eff0 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3529,8 +3529,23 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
if (nSmallest <= nLimitFC)
{
- WW8_CP nEndPos = nCpEnd -
- (nLimitFC-nSmallest) / (bIsUnicode ? 2 : 1);
+ WW8_CP nCpDiff;
+ bFail = o3tl::checked_sub(nLimitFC, nSmallest, nCpDiff);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ continue;
+ }
+ if (bIsUnicode)
+ nCpDiff /= 2;
+
+ WW8_CP nEndPos;
+ bFail = o3tl::checked_sub(nCpEnd, nCpDiff, nEndPos);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ continue;
+ }
OSL_ENSURE(nEndPos >= p->nStartPos, "EndPos before StartPos");
More information about the Libreoffice-commits
mailing list