[Libreoffice-commits] core.git: sw/source
Caolán McNamara
caolanm at redhat.com
Mon Jan 22 20:42:31 UTC 2018
sw/source/filter/ww8/ww8scan.cxx | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
New commits:
commit 42878f5459ac405f1938d3174e1aef1a2228c8fa
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Jan 22 09:04:05 2018 +0000
ofz#5561 Integer-overflow
Change-Id: I57660848190efff8e6354670eb68b60ed57f0094
Reviewed-on: https://gerrit.libreoffice.org/48308
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 57a94783e239..dd8d2479233a 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1464,7 +1464,17 @@ WW8_CP WW8ScannerBase::WW8Fc2Cp( WW8_FC nFcPos ) const
{
bIsUnicode = m_pWw8Fib->m_fExtChar;
}
- sal_Int32 nLen = (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1);
+
+ sal_Int32 nLen = nCpEnd - nCpStart;
+ if (bIsUnicode)
+ {
+ bool bFail = o3tl::checked_multiply<WW8_CP>(nLen, 2, nLen);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ return WW8_CP_MAX;
+ }
+ }
/*
If this cp is inside this piece, or it's the last piece and we are
More information about the Libreoffice-commits
mailing list