sd/source/ui/dlg/animobjs.cxx | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
New commits:
commit 6b3b080f8cedc1b496022b18e477af0c7361fba3
Author: Armin Le Grand <armin.le.gr...@me.com>
Date: Tue Nov 3 12:25:13 2015 +0100
tdf#95298: corrected some out-of-bound accesses to array
the index variable m_FrameList used to reference the current frame uses
the state EMTY_FRAMELIST to mark as invalid, which is the max integer
number. Thus all usages have to be secured to not use m_FrameList
if set to EMPTY_FRAMELIST. This was missing in some places.
the max integer
number. Thus all usages have to be secured to not use m_FrameList
if set to EMPTY_FRAMELIST. This was missing in some places.
Reviewed-on: https://gerrit.libreoffice.org/19753
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Katarina Behrens <katarina.behr...@cib.de>
Cherry-picked from f0cef70cd4164342b218fbee34bf57eedc22c998
Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8
Reviewed-on: https://gerrit.libreoffice.org/19787
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sd/source/ui/dlg/animobjs.cxx b/sd/source/ui/dlg/animobjs.cxx
index 0b033f9..5c66014 100644
--- a/sd/source/ui/dlg/animobjs.cxx
+++ b/sd/source/ui/dlg/animobjs.cxx
@@ -430,7 +430,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *,
pBtn )
SdPage* pPage = pMyDoc->GetSdPage(0, PK_STANDARD);
SdrObject* pObject;
- if (pBtn == m_pBtnRemoveBitmap)
+ // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid
out-of-bound array access
+ if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST != m_nCurrentFrame)
{
delete m_FrameList[m_nCurrentFrame].first;
delete m_FrameList[m_nCurrentFrame].second;
@@ -449,8 +450,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *,
pBtn )
if (m_nCurrentFrame >= m_FrameList.size())
{
- assert(m_FrameList.empty());
- m_nCurrentFrame = EMPTY_FRAMELIST;
+ // tdf#95298 last frame was deleted, try to use the one before it
or go on empty state
+ m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST :
m_FrameList.size() - 1;
}
}
else // delete everything
@@ -539,7 +540,8 @@ IMPL_LINK_NOARG(AnimationWindow, ModifyTimeHdl)
void AnimationWindow::UpdateControl(bool const bDisableCtrls)
{
- if (!m_FrameList.empty())
+ // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid
out-of-bound array access
+ if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame)
{
BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first);
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
