<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - LibreOffice</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>
<p>
Please find the latest report on new defect(s) introduced to <strong>LibreOffice</strong>
found with Coverity Scan.
</p>
<ul>
<li><strong>New Defects Found:</strong> 6</li>
<li>
7 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 6 of 6 defect(s)</li>
</ul>
<h3>Defect Details</h3>
<pre>
** CID 1664879: (DIVIDE_BY_ZERO)
_____________________________________________________________________________________________
*** CID 1664879: (DIVIDE_BY_ZERO)
/svx/source/svdraw/svdotextpathdecomposition.cxx: 424 in <unnamed>::impPolygonParagraphHandler::HandlePair(const basegfx::B2DPolygon &, const std::vector<const <unnamed>::impPathTextPortion *, std::allocator<const <unnamed>::impPathTextPortion *>> &)()
418 aNewTransformB.translate(aStartPos.getX() - (fPortionLength / 2.0), aStartPos.getY());
419
420 break;
421 }
422 case XFormTextStyle::SlantY :
423 {
>>> CID 1664879: (DIVIDE_BY_ZERO)
>>> In function call "getPositionAbsolute", division by expression "fPolyLength" which may be zero has undefined behavior.
424 aEndPos = basegfx::utils::getPositionAbsolute(aPolygonCandidate, fPolyStart + fPortionLength, fPolyLength);
425 const basegfx::B2DVector aDirection(aEndPos - aStartPos);
426 const double fShearValue(atan2(aDirection.getY(), aDirection.getX()));
427 const double fCos(cos(fShearValue));
428 const double fTan(tan(fShearValue));
429
/svx/source/svdraw/svdotextpathdecomposition.cxx: 391 in <unnamed>::impPolygonParagraphHandler::HandlePair(const basegfx::B2DPolygon &, const std::vector<const <unnamed>::impPathTextPortion *, std::allocator<const <unnamed>::impPathTextPortion *>> &)()
385 }
386
387 switch(maSdrFormTextAttribute.getFormTextStyle())
388 {
389 case XFormTextStyle::Rotate :
390 {
>>> CID 1664879: (DIVIDE_BY_ZERO)
>>> In function call "getPositionAbsolute", division by expression "fPolyLength" which may be zero has undefined behavior.
391 aEndPos = basegfx::utils::getPositionAbsolute(aPolygonCandidate, fPolyStart + fPortionLength, fPolyLength);
392 const basegfx::B2DVector aDirection(aEndPos - aStartPos);
393 aNewTransformB.rotate(atan2(aDirection.getY(), aDirection.getX()));
394 aNewTransformB.translate(aStartPos.getX(), aStartPos.getY());
395
396 break;
/svx/source/svdraw/svdotextpathdecomposition.cxx: 449 in <unnamed>::impPolygonParagraphHandler::HandlePair(const basegfx::B2DPolygon &, const std::vector<const <unnamed>::impPathTextPortion *, std::allocator<const <unnamed>::impPathTextPortion *>> &)()
443
444 // distance from path?
445 if(maSdrFormTextAttribute.getFormTextDistance())
446 {
447 if(aEndPos.equal(aStartPos))
448 {
>>> CID 1664879: (DIVIDE_BY_ZERO)
>>> In function call "getPositionAbsolute", division by expression "fPolyLength" which may be zero has undefined behavior.
449 aEndPos = basegfx::utils::getPositionAbsolute(aPolygonCandidate, fPolyStart + fPortionLength, fPolyLength);
450 }
451
452 // use back vector (aStartPos - aEndPos) here to get mirrored perpendicular as in old stuff
453 const basegfx::B2DVector aPerpendicular(
454 basegfx::getNormalizedPerpendicular(aStartPos - aEndPos) *
/svx/source/svdraw/svdotextpathdecomposition.cxx: 406 in <unnamed>::impPolygonParagraphHandler::HandlePair(const basegfx::B2DPolygon &, const std::vector<const <unnamed>::impPathTextPortion *, std::allocator<const <unnamed>::impPathTextPortion *>> &)()
400 aNewTransformB.translate(aStartPos.getX() - (fPortionLength / 2.0), aStartPos.getY());
401
402 break;
403 }
404 case XFormTextStyle::SlantX :
405 {
>>> CID 1664879: (DIVIDE_BY_ZERO)
>>> In function call "getPositionAbsolute", division by expression "fPolyLength" which may be zero has undefined behavior.
406 aEndPos = basegfx::utils::getPositionAbsolute(aPolygonCandidate, fPolyStart + fPortionLength, fPolyLength);
407 const basegfx::B2DVector aDirection(aEndPos - aStartPos);
408 const double fShearValue(atan2(aDirection.getY(), aDirection.getX()));
409 const double fSin(sin(fShearValue));
410 const double fCos(cos(fShearValue));
411
/svx/source/svdraw/svdotextpathdecomposition.cxx: 352 in <unnamed>::impPolygonParagraphHandler::HandlePair(const basegfx::B2DPolygon &, const std::vector<const <unnamed>::impPathTextPortion *, std::allocator<const <unnamed>::impPathTextPortion *>> &)()
346 // when autosize scaling, expand portion length
347 fPortionLength *= fAutosizeScaleFactor;
348 }
349
350 // create transformation
351 basegfx::B2DHomMatrix aNewTransformA, aNewTransformB, aNewShadowTransform;
>>> CID 1664879: (DIVIDE_BY_ZERO)
>>> In function call "getPositionAbsolute", division by expression "fPolyLength" which may be zero has undefined behavior.
352 basegfx::B2DPoint aStartPos(basegfx::utils::getPositionAbsolute(aPolygonCandidate, fPolyStart, fPolyLength));
353 basegfx::B2DPoint aEndPos(aStartPos);
354
355 // add font scaling
356 aNewTransformA.scale(aFontScaling.getX(), aFontScaling.getY());
357
** CID 1664878: Incorrect expression (DIVIDE_BY_ZERO)
_____________________________________________________________________________________________
*** CID 1664878: Incorrect expression (DIVIDE_BY_ZERO)
/slideshow/source/engine/animationfactory.cxx: 307 in slideshow::internal::<unnamed>::PathAnimation::operator ()(double)()
301
302 virtual bool operator()( double nValue ) override
303 {
304 ENSURE_OR_RETURN_FALSE( mpAttrLayer && mpShape,
305 "PathAnimation::operator(): Invalid ShapeAttributeLayer" );
306
>>> CID 1664878: Incorrect expression (DIVIDE_BY_ZERO)
>>> In function call "getPositionRelative", division by expression "basegfx::utils::getLength(this->maPathPoly)" which may be zero has undefined behavior.
307 ::basegfx::B2DPoint rOutPos = ::basegfx::utils::getPositionRelative(maPathPoly,
308 nValue,
309 basegfx::utils::getLength(maPathPoly));
310
311 // TODO(F1): Determine whether the path is
312 // absolute, or shape-relative.
** CID 1664877: Incorrect expression (DIVIDE_BY_ZERO)
_____________________________________________________________________________________________
*** CID 1664877: Incorrect expression (DIVIDE_BY_ZERO)
/basegfx/source/polygon/b2dpolygontools.cxx: 2783 in basegfx::utils::reSegmentPolygon(const basegfx::B2DPolygon &, unsigned int)()
2777 const double fLength(getLength(rCandidate));
2778 const sal_uInt32 nLoopCount(rCandidate.isClosed() ? nSegments : nSegments + 1);
2779
2780 for(sal_uInt32 a(0); a < nLoopCount; a++)
2781 {
2782 const double fRelativePos(static_cast<double>(a) / static_cast<double>(nSegments)); // 0.0 .. 1.0
>>> CID 1664877: Incorrect expression (DIVIDE_BY_ZERO)
>>> In function call "getPositionRelative", division by expression "fLength" which may be zero has undefined behavior.
2783 const B2DPoint aNewPoint(getPositionRelative(rCandidate, fRelativePos, fLength));
2784 aRetval.append(aNewPoint);
2785 }
2786
2787 // copy closed flag
2788 aRetval.setClosed(rCandidate.isClosed());
** CID 1664876: Insecure data handling (INTEGER_OVERFLOW)
_____________________________________________________________________________________________
*** CID 1664876: Insecure data handling (INTEGER_OVERFLOW)
/sw/source/filter/ww8/ww8par3.cxx: 98 in SwWW8ImplReader::Read_F_FormTextBox(WW8FieldDesc *, rtl::OUString &)()
92 eF_ResT SwWW8ImplReader::Read_F_FormTextBox( WW8FieldDesc* pF, OUString& rStr )
93 {
94 WW8FormulaEditBox aFormula(*this);
95
96 sal_Int32 const nPos(rStr.indexOf(0x01));
97 if (pF->nLCode && nPos != -1 && nPos < pF->nLCode) {
>>> CID 1664876: Insecure data handling (INTEGER_OVERFLOW)
>>> "pF->nSCode + nPos", which might be negative, is passed to "this->ImportFormulaControl(aFormula, pF->nSCode + nPos, WW8_CT_EDIT)".
98 ImportFormulaControl(aFormula, pF->nSCode + nPos, WW8_CT_EDIT);
99 }
100
101 /*
102 Here we have a small complication. This formula control contains
103 the default text that is displayed if you edit the form field in
** CID 1664875: Incorrect expression (DIVIDE_BY_ZERO)
_____________________________________________________________________________________________
*** CID 1664875: Incorrect expression (DIVIDE_BY_ZERO)
/basegfx/source/polygon/b2dlinegeometry.cxx: 100 in basegfx::utils::createAreaGeometryForLineStartEnd(const basegfx::B2DPolygon &, const basegfx::B2DPolyPolygon &, bool, double, double, double, double *, double)()
94 fCandidateLength = getLength(rCandidate);
95 }
96
97 // get the polygon vector we want to plant this arrow on
98 const double fConsumedLength(fArrowYLength * (1.0 - fDockingPosition) - fShift);
99 const B2DVector aHead(rCandidate.getB2DPoint(bStart ? 0 : rCandidate.count() - 1));
>>> CID 1664875: Incorrect expression (DIVIDE_BY_ZERO)
>>> In function call "getPositionAbsolute", division by expression "fCandidateLength" which may be zero has undefined behavior.
100 const B2DVector aTail(getPositionAbsolute(rCandidate,
101 bStart ? fConsumedLength : fCandidateLength - fConsumedLength, fCandidateLength));
102
103 // from that vector, take the needed rotation and add rotate for arrow to transformation
104 const B2DVector aTargetDirection(aHead - aTail);
105 const double fRotation(atan2(aTargetDirection.getY(), aTargetDirection.getX()) + M_PI_2);
** CID 1664874: Insecure data handling (INTEGER_OVERFLOW)
_____________________________________________________________________________________________
*** CID 1664874: Insecure data handling (INTEGER_OVERFLOW)
/xmloff/source/draw/ximpcustomshape.cxx: 1242 in XMLEnhancedCustomShapeContext::endFastElement(int)()
1236 do
1237 {
1238 nIndexOf = rEquation.indexOf( '?', nIndexOf );
1239 if ( nIndexOf != -1 )
1240 {
1241 OUString aEquationName;
>>> CID 1664874: Insecure data handling (INTEGER_OVERFLOW)
>>> "nIndexOf + 1", which might be negative, is passed to "GetEquationName(rEquation->operator std::u16string_view(), nIndexOf + 1, aEquationName)".
1242 if ( GetEquationName( rEquation, nIndexOf + 1, aEquationName ) )
1243 {
1244 // copying first characters inclusive '?'
1245 sal_Int32 nIndex = 0;
1246 EquationHashMap::iterator aHashIter( aH.find( aEquationName ) );
1247 if ( aHashIter != aH.end() )
</pre>
<p>
<a href="https://scan.coverity.com/projects/libreoffice?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>
<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>