[Libreoffice-commits] core.git: sw/source

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Fri Feb 22 14:02:08 UTC 2019 

 sw/source/core/table/swtable.cxx |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

New commits:
commit 18b5a001cc5b306e1548fb70e610bdc1164cf4ca
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Fri Feb 22 11:56:51 2019 +0100
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Fri Feb 22 15:01:34 2019 +0100

    Avoid uncontrolled overflow in SwTable::GetBoxNum
    
    ...where bad input like "WRONG CELL NAME" (in PythonTest_sw_python's
    sw/qa/python/check_xtexttable.py) could wrap around to a valid but wrong nRet.
    Instead, return SAL_MAX_UINT16 upon overflow.  At least the call to GetBoxNum in
    SwTable::GetTableBox (sw/source/core/table/swtable.cxx) with bFirstPart
    potentially true, assigning to nBox, then later checks
    
      if( nBox >= pBoxes->size() )
          return nullptr;
    
    so returning SAL_MAX_UINT16 upon overflow appears to be the best choice.
    
    (Found with Clang's -fsanitize=implicit-signed-integer-truncation.)
    
    Change-Id: I12822a6bd4f0269adb14c04eefbd1cde4d288728
    Reviewed-on: https://gerrit.libreoffice.org/68203
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/sw/source/core/table/swtable.cxx b/sw/source/core/table/swtable.cxx
index 0f2b5aee412a..18050a1e0202 100644
--- a/sw/source/core/table/swtable.cxx
+++ b/sw/source/core/table/swtable.cxx
@@ -1291,6 +1291,8 @@ sal_uInt16 SwTable::GetBoxNum( OUString& rStr, bool bFirstPart,
         sal_Int32 nPos = 0;
         // the first one uses letters for addressing!
         bool bFirst = true;
+        sal_uInt32 num = 0;
+        bool overflow = false;
         while (nPos<rStr.getLength())
         {
             sal_Unicode cChar = rStr[nPos];
@@ -1301,10 +1303,14 @@ sal_uInt16 SwTable::GetBoxNum( OUString& rStr, bool bFirstPart,
             if( bFirst )
                 bFirst = false;
             else
-                ++nRet;
-            nRet = nRet * 52 + cChar;
+                ++num;
+            num = num * 52 + cChar;
+            if (num > SAL_MAX_UINT16) {
+                overflow = true;
+            }
             ++nPos;
         }
+        nRet = overflow ? SAL_MAX_UINT16 : num;
         rStr = rStr.copy( nPos );      // Remove char from String
     }
     else

More information about the Libreoffice-commits mailing list