[Libreoffice-commits] core.git: formula/source

[Libreoffice Gerrit user]

 formula/source/core/api/FormulaCompiler.cxx |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

New commits:
commit 58a15b452801f1f6f1b3e9f2fef49a1249538ac5
Author:     Luboš Luňák <l.lunak at collabora.com>
AuthorDate: Fri Jul 27 16:59:02 2018 +0200
Commit:     Luboš Luňák <l.lunak at collabora.com>
CommitDate: Tue Jul 31 16:01:05 2018 +0200

    protect against accessing before the start of pCode in FormulaCompiler
    
    If the expression is bad, such as in sc/qa/.../sheet.fods, 'pCode - 1'
    may actually refer before the array of tokens, since nothing has been
    added yet. So make that element nullptr. This is a bit hackish, but
    checking in every place that pCode is valid seems tedious.
    
    Change-Id: Ia099a50583f60d93a2e20b1f7b5e44b0121a275b
    Reviewed-on: https://gerrit.libreoffice.org/58198
    Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
    Tested-by: Jenkins
    Reviewed-by: Luboš Luňák <l.lunak at collabora.com>

diff --git a/formula/source/core/api/FormulaCompiler.cxx b/formula/source/core/api/FormulaCompiler.cxx
index 8e79e5ca68dd..c22f9edbdbe1 100644
--- a/formula/source/core/api/FormulaCompiler.cxx
+++ b/formula/source/core/api/FormulaCompiler.cxx
@@ -2079,7 +2079,12 @@ bool FormulaCompiler::CompileTokenArray()
         pArr->DelRPN();
         maArrIterator.Reset();
         pStack = nullptr;
-        FormulaToken* pData[ FORMULA_MAXTOKENS ];
+        FormulaToken* pDataArray[ FORMULA_MAXTOKENS + 1 ];
+        // Code in some places refers to the last token as 'pCode - 1', which may
+        // point before the first element if the expression is bad. So insert a dummy
+        // node in that place which will make that token be nullptr.
+        pDataArray[ 0 ] = nullptr;
+        FormulaToken** pData = pDataArray + 1;
         pCode = pData;
         bool bWasForced = pArr->IsRecalcModeForced();
         if ( bWasForced )