[Libreoffice-commits] core.git: sw/source

Thu Oct 26 18:49:20 UTC 2017

sw/source/filter/ww8/ww8scan.cxx |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

New commits:
commit 4c1bfd35ae05aca4c71c17d41ebe10634526edac
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Oct 26 10:20:45 2017 +0100

    ofz#3816 Integer-overflow
    
    Change-Id: I899df8d0609d6a3c55d130cffc5b1b23eebece13

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index c3adbf485d8f..f296eb91af04 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3391,10 +3391,17 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
                                     nFcStart,bIsUnicode );
                             }
 
-                            WW8_CP nCpLen = (nCpEnd - nCpStart);
+                            WW8_CP nCpLen;
+                            bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen);
+                            if (bFail)
+                            {
+                                SAL_WARN("sw.ww8", "broken offset, ignoring");
+                                continue;
+                            }
+
                             if (bIsUnicode)
                             {
-                                const bool bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen);
+                                bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen);
                                 if (bFail)
                                 {
                                     SAL_WARN("sw.ww8", "broken offset, ignoring");
@@ -3402,7 +3409,7 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
                                 }
                             }
 
-                            const bool bFail = o3tl::checked_add(nFcStart, nCpLen, nLimitFC);
+                            bFail = o3tl::checked_add(nFcStart, nCpLen, nLimitFC);
                             if (bFail)
                             {
                                 SAL_WARN("sw.ww8", "broken offset, ignoring");
