[PATCH libreoffice-4-0-3] fixed a mess of out of bounds string accesses

Eike Rathke (via Code Review) gerrit at gerrit.libreoffice.org
Mon Apr 22 14:27:11 PDT 2013 

Hi,

I have submitted a patch for review:

    https://gerrit.libreoffice.org/3563

To pull it, you can do:

    git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/63/3563/1

fixed a mess of out of bounds string accesses

(cherry picked from commit 5cd4300f7ffc24d6bc0ed5704f37a04852fd322b)

Conflicts:
	svl/source/numbers/zformat.cxx

Change-Id: I800840e1b3c0d97a049b3ceba0ec244365dc8e6b
---
M svl/source/numbers/zformat.cxx
1 file changed, 40 insertions(+), 21 deletions(-)



diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 1b12669..545d6cc 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -1412,6 +1412,21 @@
     return (cToken == ']' || nPos == nLen) ? LocaleType(nNum) : LocaleType();
 }
 
+static bool lcl_matchKeywordAndGetNumber( const OUString & rString, const sal_Int32 nPos,
+        const OUString & rKeyword, sal_Int32 & nNumber )
+{
+    if (0 <= nPos && nPos + rKeyword.getLength() < rString.getLength() && rString.matchIgnoreAsciiCase( rKeyword, nPos))
+    {
+        nNumber = rString.copy( nPos + rKeyword.getLength()).toInt32();
+        return true;
+    }
+    else
+    {
+        nNumber = 0;
+        return false;
+    }
+}
+
 short SvNumberformat::ImpNextSymbol(OUStringBuffer& rString,
                                     sal_Int32& nPos,
                                     OUString& sSymbol)
@@ -1514,43 +1529,47 @@
             {
                 const OUString aNatNum("NATNUM");
                 const OUString aDBNum("DBNUM");
-                OUString aUpperNatNum( rChrCls().uppercase( rString.toString(), nPos-1, aNatNum.getLength() ) );
-                OUString aUpperDBNum( rChrCls().uppercase( rString.toString(), nPos-1, aDBNum.getLength() ) );
-                sal_Unicode cUpper = aUpperNatNum[0];
-                sal_Int32 nNatNumNum = rString.toString().copy( nPos - 1 + aNatNum.getLength() ).toInt32();
-                sal_Unicode cDBNum = rString[ nPos - 1 + aDBNum.getLength()];
-                if ( aUpperNatNum == aNatNum && 0 <= nNatNumNum && nNatNumNum <= 19 )
+                const OUString aBufStr( rString.toString());
+                sal_Int32 nNatNumNum;
+                sal_Int32 nDBNum;
+                if ( lcl_matchKeywordAndGetNumber( aBufStr, nPos-1, aNatNum, nNatNumNum) &&
+                        0 <= nNatNumNum && nNatNumNum <= 19 )
                 {
                     sBuffSymbol.stripStart((sal_Unicode)'[');
-                    sBuffSymbol.append( rString.toString().copy( --nPos, aNatNum.getLength()+1 ));
+                    sBuffSymbol.append( aBufStr.copy( --nPos, aNatNum.getLength()+1 ));
                     nPos += aNatNum.getLength()+1;
                     //! SymbolType is negative
                     eSymbolType = (short) (BRACKET_SYMBOLTYPE_NATNUM0 - nNatNumNum);
                     eState = SsGetPrefix;
                 }
-                else if ( aUpperDBNum == aDBNum && '1' <= cDBNum && cDBNum <= '9' )
+                else if ( lcl_matchKeywordAndGetNumber( aBufStr, nPos-1, aDBNum, nDBNum) &&
+                        '1' <= nDBNum && nDBNum <= '9' )
                 {
                     sBuffSymbol.stripStart((sal_Unicode)'[');
                     sBuffSymbol.append(rString.toString().copy( --nPos, aDBNum.getLength()+1 ));
                     nPos += aDBNum.getLength()+1;
                     //! SymbolType is negative
-                    eSymbolType = sal::static_int_cast< short >( BRACKET_SYMBOLTYPE_DBNUM1 - (cDBNum - '1'));
+                    eSymbolType = sal::static_int_cast< short >( BRACKET_SYMBOLTYPE_DBNUM1 - (nDBNum - '1'));
                     eState = SsGetPrefix;
-                }
-                else if (cUpper == rKeywords[NF_KEY_H][0] ||  // H
-                         cUpper == rKeywords[NF_KEY_MI][0] ||  // M
-                         cUpper == rKeywords[NF_KEY_S][0] )   // S
-                {
-                    sBuffSymbol.append(cToken);
-                    eState = SsGetTime;
-                    cLetter = cToken;
                 }
                 else
                 {
-                    sBuffSymbol.stripStart((sal_Unicode)'[');
-                    sBuffSymbol.append(cToken);
-                    eSymbolType = BRACKET_SYMBOLTYPE_COLOR;
-                    eState = SsGetPrefix;
+                    sal_Unicode cUpper = rChrCls().uppercase( aBufStr, nPos-1, 1)[0];
+                    if (    cUpper == rKeywords[NF_KEY_H][0] ||     // H
+                            cUpper == rKeywords[NF_KEY_MI][0] ||    // M
+                            cUpper == rKeywords[NF_KEY_S][0] )      // S
+                    {
+                        sBuffSymbol.append(cToken);
+                        eState = SsGetTime;
+                        cLetter = cToken;
+                    }
+                    else
+                    {
+                        sBuffSymbol.stripStart((sal_Unicode)'[');
+                        sBuffSymbol.append(cToken);
+                        eSymbolType = BRACKET_SYMBOLTYPE_COLOR;
+                        eState = SsGetPrefix;
+                    }
                 }
             }
             }

-- 
To view, visit https://gerrit.libreoffice.org/3563
To unsubscribe, visit https://gerrit.libreoffice.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I800840e1b3c0d97a049b3ceba0ec244365dc8e6b
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0-3
Gerrit-Owner: Eike Rathke <erack at redhat.com>

More information about the LibreOffice mailing list