[Libreoffice-commits] core.git: writerfilter/source

Stephan Bergmann (via logerrit) logerrit at kemper.freedesktop.org
Tue Aug 3 09:49:57 UTC 2021 

 writerfilter/source/dmapper/GraphicImport.cxx |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

New commits:
commit 39d364958447cd33a6e30dc9d2904ad94fd40aba
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Tue Aug 3 10:29:41 2021 +0200
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Tue Aug 3 11:49:24 2021 +0200

    Avoid unsigned integer subtraction causing wrap-around
    
    ...to a too-large positive value, causing `instdir/program/soffice --headless
    --convert-to epub` of cloudon/File_1149.docx from the crash-testing corpus to
    fail under UBSan with
    
    > writerfilter/source/dmapper/GraphicImport.cxx:562:27: runtime error: 7.73093e+11 is outside the range of representable values of type 'int'
    >  #0 in writerfilter::dmapper::GraphicImport::lcl_correctWord2007EffectExtent(int) at writerfilter/source/dmapper/GraphicImport.cxx:562:27
    [...]
    
    (where sal_uInt32 m_pImpl->getXSize() was 3731 and sal_uInt32
    m_pImpl->getYSize() was 10583)
    
    Change-Id: Id0ae9d6e46c977753d11cc2496ba5d240d3102bc
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119926
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/writerfilter/source/dmapper/GraphicImport.cxx b/writerfilter/source/dmapper/GraphicImport.cxx
index 8ed707c2917f..d7c842ea9d69 100644
--- a/writerfilter/source/dmapper/GraphicImport.cxx
+++ b/writerfilter/source/dmapper/GraphicImport.cxx
@@ -559,8 +559,9 @@ void GraphicImport::lcl_correctWord2007EffectExtent(const sal_Int32 nMSOAngle)
     sal_Int16 nAngleDeg = (nMSOAngle / 60000) % 180;
     if (nAngleDeg >= 45 && nAngleDeg < 135)
     {
-        sal_Int32 nDiff = o3tl::convert((m_pImpl->getXSize() - m_pImpl->getYSize()) / 2.0,
-                                     o3tl::Length::mm100, o3tl::Length::emu);
+        sal_Int32 nDiff = o3tl::convert(
+            (double(m_pImpl->getXSize()) - double(m_pImpl->getYSize())) / 2.0,
+            o3tl::Length::mm100, o3tl::Length::emu);
         if (m_pImpl->m_oEffectExtentLeft)
             *m_pImpl->m_oEffectExtentLeft += nDiff;
         if (m_pImpl->m_oEffectExtentRight)

More information about the Libreoffice-commits mailing list