[Libreoffice-commits] core.git: 2 commits - sax/source sw/source
Caolán McNamara
caolanm at redhat.com
Wed Oct 25 14:00:15 UTC 2017
sax/source/tools/converter.cxx | 16 +++++-----------
sw/source/filter/ww8/ww8par.hxx | 9 ++++-----
sw/source/filter/ww8/ww8par2.cxx | 26 +++++++++++++++-----------
3 files changed, 24 insertions(+), 27 deletions(-)
New commits:
commit ffb19c5be464770e6ac2d9b13422353c8a03294b
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 24 14:46:32 2017 +0100
ofz#3752 Integer-overflow
Change-Id: I211327928a86f706513ebd78cff979283396e742
Reviewed-on: https://gerrit.libreoffice.org/43777
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sax/source/tools/converter.cxx b/sax/source/tools/converter.cxx
index 1cb8cf190f04..d2a84cd8ea7d 100644
--- a/sax/source/tools/converter.cxx
+++ b/sax/source/tools/converter.cxx
@@ -543,9 +543,6 @@ bool Converter::convertNumber64( sal_Int64& rValue,
const OUString& rString,
sal_Int64 nMin, sal_Int64 nMax )
{
- bool bNeg = false;
- rValue = 0;
-
sal_Int32 nPos = 0;
sal_Int32 const nLen = rString.getLength();
@@ -553,10 +550,11 @@ bool Converter::convertNumber64( sal_Int64& rValue,
while( (nPos < nLen) && (rString[nPos] <= ' ') )
nPos++;
+ OUStringBuffer sNumber;
+
if( nPos < nLen && '-' == rString[nPos] )
{
- bNeg = true;
- nPos++;
+ sNumber.append(rString[nPos++]);
}
// get number
@@ -564,14 +562,10 @@ bool Converter::convertNumber64( sal_Int64& rValue,
'0' <= rString[nPos] &&
'9' >= rString[nPos] )
{
- // TODO: check overflow!
- rValue *= 10;
- rValue += (rString[nPos] - u'0');
- nPos++;
+ sNumber.append(rString[nPos++]);
}
- if( bNeg )
- rValue *= -1;
+ rValue = sNumber.toString().toInt64();
if( rValue < nMin )
rValue = nMin;
commit 4eb288ad1d6373a5374884118bd2344b739d8f9a
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Oct 2 09:24:19 2017 +0100
ofz#3527 ofz#3532 Invalid read of size 8
use numrule name to look up numrule instead of cached numrule pointer
in case it was deleted on failure to apply the numrule over an invalid range
Invalid read of size 8
at 0x1E875132: rtl::OUString::OUString(rtl::OUString const&) (ustring.hxx:143)
by 0x1EB33D93: SwWW8ImplReader::StartAnl(unsigned char const*) (ww8par2.cxx:1094)
by 0x1EB33003: SwWW8ImplReader::Read_ANLevelNo(unsigned short, unsigned char const*, short) (ww8par2.cxx:910)
by 0x1EBA375D: SwWW8ImplReader::ImportSprm(unsigned char const*, int, unsigned short) (ww8par6.cxx:6337)
by 0x1EAEEA24: SwWW8ImplReader::ReadTextAttr(int&, long, bool&) (ww8par.cxx:3810)
by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&) (ww8par.cxx:3921)
by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes) (ww8par.cxx:4003)
by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*) (ww8par.cxx:5219)
Address 0x31831158 is 200 bytes inside a block of size 248 free'd
at 0x4C2F21A: operator delete(void*) (vg_replace_malloc.c:576)
by 0x253BC1B5: SwDoc::DelNumRule(rtl::OUString const&, bool) (docnum.cxx:1033)
by 0x25CB943D: SwFltControlStack::SetAttrInDoc(SwPosition const&, SwFltStackEntry&) (fltshell.cxx:609)
by 0x1EAE5011: SwWW8FltControlStack::SetAttrInDoc(SwPosition const&, SwFltStackEntry&) (ww8par.cxx:1445)
by 0x25CB8A9E: SwFltControlStack::SetAttr(SwPosition const&, unsigned short, bool, long, bool) (fltshell.cxx:457)
by 0x1EAE420E: SwWW8FltControlStack::SetAttr(SwPosition const&, unsigned short, bool, long, bool) (ww8par.cxx:1185)
by 0x1EAE5C12: SwWW8ImplReader::Read_Tab(unsigned short, unsigned char const*, short) (ww8par.cxx:1625)
by 0x1EBA35F0: SwWW8ImplReader::EndSprm(unsigned short) (ww8par6.cxx:6321)
by 0x1EAEEA44: SwWW8ImplReader::ReadTextAttr(int&, long, bool&) (ww8par.cxx:3813)
by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&) (ww8par.cxx:3921)
by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes) (ww8par.cxx:4003)
by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*) (ww8par.cxx:5219)
Change-Id: Ia7ab67e42fc7a162d8089722e77841285f72a671
Reviewed-on: https://gerrit.libreoffice.org/43028
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 78eaac1809b2..154706725c47 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -970,11 +970,10 @@ struct ApoTestResults
struct ANLDRuleMap
{
- SwNumRule* mpOutlineNumRule; // WinWord 6 numbering, variant 1
- SwNumRule* mpNumberingNumRule; // WinWord 6 numbering, variant 2
- SwNumRule* GetNumRule(sal_uInt8 nNumType);
- void SetNumRule(SwNumRule*, sal_uInt8 nNumType);
- ANLDRuleMap() : mpOutlineNumRule(nullptr), mpNumberingNumRule(nullptr) {}
+ OUString msOutlineNumRule; // WinWord 6 numbering, variant 1
+ OUString msNumberingNumRule; // WinWord 6 numbering, variant 2
+ SwNumRule* GetNumRule(const SwDoc& rDoc, sal_uInt8 nNumType);
+ void SetNumRule(const SwNumRule*, sal_uInt8 nNumType);
};
struct SprmReadInfo;
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 574db30c1200..a7e085fd3cf4 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1015,17 +1015,21 @@ WW8LvlType GetNumType(sal_uInt8 nWwLevelNo)
return nRet;
}
-SwNumRule *ANLDRuleMap::GetNumRule(sal_uInt8 nNumType)
+SwNumRule *ANLDRuleMap::GetNumRule(const SwDoc& rDoc, sal_uInt8 nNumType)
{
- return (WW8_Numbering == nNumType ? mpNumberingNumRule : mpOutlineNumRule);
+ const OUString& rNumRule = WW8_Numbering == nNumType ? msNumberingNumRule : msOutlineNumRule;
+ if (rNumRule.isEmpty())
+ return nullptr;
+ return rDoc.FindNumRulePtr(rNumRule);
}
-void ANLDRuleMap::SetNumRule(SwNumRule *pRule, sal_uInt8 nNumType)
+void ANLDRuleMap::SetNumRule(const SwNumRule *pRule, sal_uInt8 nNumType)
{
+ OUString sNumRule = pRule ? pRule->GetName() : OUString();
if (WW8_Numbering == nNumType)
- mpNumberingNumRule = pRule;
+ msNumberingNumRule = sNumRule;
else
- mpOutlineNumRule = pRule;
+ msOutlineNumRule = sNumRule;
}
// StartAnl is called at the beginning of a row area that contains
@@ -1039,7 +1043,7 @@ void SwWW8ImplReader::StartAnl(const sal_uInt8* pSprm13)
return;
m_nWwNumType = nT;
- SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+ SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
// check for COL numbering:
SprmResult aS12; // sprmAnld
@@ -1107,7 +1111,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
if (!m_bAnl)
return;
- SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+ SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
// pNd->UpdateNum without a set of rules crashes at the latest whilst storing as sdw3
@@ -1115,7 +1119,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
if (*pSprm13 == 10 || *pSprm13 == 11)
{
m_nSwNumLevel = 0;
- if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+ if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
{
// not defined yet
// sprmAnld o. 0
@@ -1128,7 +1132,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
{
m_nSwNumLevel = *pSprm13 - 1; // outline
// undefined
- if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+ if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
{
if (m_xNumOlst) // there was a OLST
{
@@ -1182,7 +1186,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8 nNewType, bool bGoBack)
else
m_xCtrlStck->SetAttr(*m_pPaM->GetPoint(), RES_FLTR_NUMRULE);
- m_aANLDRules.mpNumberingNumRule = nullptr;
+ m_aANLDRules.msNumberingNumRule.clear();
/*
#i18816#
my take on this problem is that moving either way from an outline to a
@@ -1192,7 +1196,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8 nNewType, bool bGoBack)
(((m_nWwNumType == WW8_Outline) && (nNewType == WW8_Numbering)) ||
((m_nWwNumType == WW8_Numbering) && (nNewType == WW8_Outline)));
if (!bNumberingNotStopOutline)
- m_aANLDRules.mpOutlineNumRule = nullptr;
+ m_aANLDRules.msOutlineNumRule.clear();
m_nSwNumLevel = 0xff;
m_nWwNumType = WW8_None;
More information about the Libreoffice-commits
mailing list