[Libreoffice-commits] core.git: sw/source

[Stephan Bergmann (via logerrit)]

 sw/source/core/layout/wsfrm.cxx |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

New commits:
commit 8a119dfbee7a2f4917d4089acbfda8fa6fc46d35
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Fri Aug 2 11:23:06 2019 +0200
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Fri Aug 2 14:52:15 2019 +0200

    Avoid -fsanitize=signed-integer-overflow within m_pFrame->GrowTst( LONG_MAX );
    
    `--convert-to pdf doc/ooo70429-1.doc` (i.e., the attachment Whole Book.odt at
    <https://bz.apache.org/ooo/show_bug.cgi?id=70429#c2>) failed with
    
    > sw/source/core/layout/wsfrm.cxx:2659:27: runtime error: signed integer overflow: 9223372036854775647 + 9254 cannot be represented in type 'long'
    >  #0 in SwLayoutFrame::GrowFrame(long, bool, bool) at sw/source/core/layout/wsfrm.cxx:2659:27
    >  #1 in SwFrame::Grow(long, bool, bool) at sw/source/core/layout/wsfrm.cxx:1493:35
    >  #2 in SwContentFrame::GrowFrame(long, bool, bool) at sw/source/core/layout/wsfrm.cxx:2147:37
    >  #3 in SwFrame::Grow(long, bool, bool) at sw/source/core/layout/wsfrm.cxx:1493:35
    >  #4 in SwTextFrame::GrowTst(long) at sw/source/core/inc/txtfrm.hxx:815:12
    >  #5 in SwTextFrameBreak::IsInside(SwTextMargin const&) const at sw/source/core/text/widorp.cxx:156:34
    [...]
    
    when frame 5 calls
    
                nHeight += m_pFrame->GrowTst( LONG_MAX );
    
    As various places along the code path between frames 5 and 0 already clip values
    at LONG_MAX, it looks reasonable to similarly clip the increased nReal here.
    
    Change-Id: I27202ad47a397f8f57cfccfb3cb85a5dc0ac17cb
    Reviewed-on: https://gerrit.libreoffice.org/76851
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/sw/source/core/layout/wsfrm.cxx b/sw/source/core/layout/wsfrm.cxx
index 95af7d95dda2..452ad6cf42f2 100644
--- a/sw/source/core/layout/wsfrm.cxx
+++ b/sw/source/core/layout/wsfrm.cxx
@@ -18,6 +18,7 @@
  */
 
 #include <hints.hxx>
+#include <o3tl/safeint.hxx>
 #include <svl/itemiter.hxx>
 #include <editeng/brushitem.hxx>
 #include <fmtornt.hxx>
@@ -2656,7 +2657,7 @@ SwTwips SwLayoutFrame::GrowFrame( SwTwips nDist, bool bTst, bool bInfo )
                 }
 
                 if( SwNeighbourAdjust::GrowAdjust == nAdjust && nGrow < nReal )
-                    nReal += AdjustNeighbourhood( nReal - nGrow, bTst );
+                    nReal = o3tl::saturating_add(nReal, AdjustNeighbourhood( nReal - nGrow, bTst ));
 
                 if ( IsFootnoteFrame() && (nGrow != nReal) && GetNext() )
                 {