[Libreoffice-commits] core.git: sw/source
Caolán McNamara
caolanm at redhat.com
Thu Oct 19 19:27:10 UTC 2017
sw/source/filter/ww8/ww8scan.cxx | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
New commits:
commit 02d4421687c1dba797153d9b71c01cf98d1537fb
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Oct 19 13:06:07 2017 +0100
ofz+ubsan: signed integer overflow
Change-Id: Ie291f5f4e705ad3d2aeecc9fa26b1247974e2aa2
Reviewed-on: https://gerrit.libreoffice.org/43545
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 61d4ff7b2908..240ebbc3057e 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -39,7 +39,7 @@
#include <unotools/localedatawrapper.hxx>
#include <i18nlangtag/lang.h>
#include <editeng/unolingu.hxx>
-
+#include <o3tl/safeint.hxx>
#include <tools/stream.hxx>
#include <vcl/settings.hxx>
@@ -1495,8 +1495,18 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
return nRet;
}
+ if (*pIsUnicode)
+ {
+ const bool bFail = o3tl::checked_multiply<WW8_CP>(nCpPos, 2, nCpPos);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ return WW8_CP_MAX;
+ }
+ }
+
// No complex file
- return m_pWw8Fib->m_fcMin + nCpPos * (*pIsUnicode ? 2 : 1);
+ return m_pWw8Fib->m_fcMin + nCpPos;
}
// class WW8ScannerBase
More information about the Libreoffice-commits
mailing list