[Libreoffice-commits] core.git: sw/source

Fri Mar 16 14:47:46 UTC 2018

sw/source/filter/ww8/ww8scan.cxx |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

New commits:
commit 5b71268f33af179c241f2c9d76d69f25e97a05f7
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Mar 16 10:09:21 2018 +0000

    ofz#6950 Integer-overflow
    
    Change-Id: I56d8da7d6f376744803153b29d1dfe638e10b001
    Reviewed-on: https://gerrit.libreoffice.org/51398
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 380c2c8f1fba..f6b4a84a3a8f 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1501,12 +1501,18 @@ WW8_CP WW8ScannerBase::WW8Fc2Cp( WW8_FC nFcPos ) const
                     SAL_WARN("sw.ww8", "broken offset, ignoring");
                     return WW8_CP_MAX;
                 }
-                if (nFcPos < nFcStart + nLen)
+                WW8_FC nFcEnd;
+                if (o3tl::checked_add(nFcStart, nLen, nFcEnd))
+                {
+                    SAL_WARN("sw.ww8", "broken offset, ignoring");
+                    return WW8_CP_MAX;
+                }
+                if (nFcPos < nFcEnd)
                 {
                     m_pPieceIter->SetIdx( nOldPos );
                     return nTempCp;
                 }
-                else if (nFcPos == nFcStart + nLen)
+                else if (nFcPos == nFcEnd)
                 {
                     //Keep this cp as its on a piece boundary because we might
                     //need it if tests fail
