[PATCH libreoffice-4-0] prevent vector and sequence out of bounds access, fdo#60300
Eike Rathke (via Code Review)
gerrit at gerrit.libreoffice.org
Thu Apr 11 08:03:14 PDT 2013
Hi,
I have submitted a patch for review:
https://gerrit.libreoffice.org/3340
To pull it, you can do:
git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/40/3340/1
prevent vector and sequence out of bounds access, fdo#60300
This fixes the symptom of the crash but not the underlying cause why a
subtotal count would be wrong.
(cherry picked from commit 8bd3be9915ff28458d010fc8f0a1a1ab66d730b0)
Conflicts:
sc/source/core/data/dpoutput.cxx
Change-Id: I3782b5e39f18bc65ffe510b847ffa7969a26cd37
---
M sc/source/core/data/dpoutput.cxx
1 file changed, 42 insertions(+), 12 deletions(-)
diff --git a/sc/source/core/data/dpoutput.cxx b/sc/source/core/data/dpoutput.cxx
index d78f83e..380e1f3 100644
--- a/sc/source/core/data/dpoutput.cxx
+++ b/sc/source/core/data/dpoutput.cxx
@@ -1707,11 +1707,19 @@
{
// grand total is always automatic
sal_Int32 nDataPos = j - ( nSize - nGrandTotals );
- OSL_ENSURE( nDataPos < (sal_Int32)rDataNames.size(), "wrong data count" );
- rtl::OUString aSourceName( rDataNames[nDataPos] ); // vector contains source names
- rtl::OUString aGivenName( rGivenNames[nDataPos] );
+ if (nDataPos >= 0 && nDataPos < (sal_Int32)rDataNames.size() &&
+ nDataPos < (sal_Int32)rGivenNames.size())
+ {
+ OUString aSourceName( rDataNames[nDataPos] ); // vector contains source names
+ OUString aGivenName( rGivenNames[nDataPos] );
- rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ }
+ else
+ {
+ OSL_FAIL( "wrong data count for grand total" );
+ rResult[j] = false;
+ }
}
}
@@ -1747,27 +1755,49 @@
rtl::OUString aSourceName( rDataNames[nDataPos] ); // vector contains source names
rtl::OUString aGivenName( rGivenNames[nDataPos] );
- OSL_ENSURE( nFuncPos < aSubTotals.getLength(), "wrong subtotal count" );
- rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName ) &&
+ if (nFuncPos < aSubTotals.getLength())
+ {
+ rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName ) &&
aSubTotals[nFuncPos] == aFilter.meFunction;
+ }
+ else
+ {
+ OSL_FAIL( "wrong subtotal count for manual subtotals and several data fields" );
+ rResult[j] = false;
+ }
}
else
{
// manual subtotals for a single data field
- OSL_ENSURE( nSubTotalCount < aSubTotals.getLength(), "wrong subtotal count" );
- rResult[j] = ( aSubTotals[nSubTotalCount] == aFilter.meFunction );
+ if (nSubTotalCount < aSubTotals.getLength())
+ {
+ rResult[j] = ( aSubTotals[nSubTotalCount] == aFilter.meFunction );
+ }
+ else
+ {
+ OSL_FAIL( "wrong subtotal count for manual subtotals for a single data field" );
+ rResult[j] = false;
+ }
}
}
else // automatic subtotals
{
if ( rBeforeDataLayout )
{
- OSL_ENSURE( nSubTotalCount < (sal_Int32)rDataNames.size(), "wrong data count" );
- rtl::OUString aSourceName( rDataNames[nSubTotalCount] ); // vector contains source names
- rtl::OUString aGivenName( rGivenNames[nSubTotalCount] );
+ if (nSubTotalCount < (sal_Int32)rDataNames.size() &&
+ nSubTotalCount < (sal_Int32)rGivenNames.size())
+ {
+ OUString aSourceName( rDataNames[nSubTotalCount] ); // vector contains source names
+ OUString aGivenName( rGivenNames[nSubTotalCount] );
- rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ }
+ else
+ {
+ OSL_FAIL( "wrong data count for automatic subtotals" );
+ rResult[j] = false;
+ }
}
// if a function was specified, automatic subtotals never match
--
To view, visit https://gerrit.libreoffice.org/3340
To unsubscribe, visit https://gerrit.libreoffice.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3782b5e39f18bc65ffe510b847ffa7969a26cd37
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0
Gerrit-Owner: Eike Rathke <erack at redhat.com>
More information about the LibreOffice
mailing list