svl/source/numbers/zformat.cxx | 22 ++++++++++++----------
xmloff/source/style/xmlnumfe.cxx | 5 +++--
2 files changed, 15 insertions(+), 12 deletions(-)
New commits:
commit c75ce37560c05271ba56c9dd0d98c5001e83cc2f
Author: Eike Rathke <er...@redhat.com>
Date: Tue May 31 00:02:38 2016 +0200
prevent out of bounds string access
Yet another reminiscence of String to OUString conversion..
where the terminating NULL-character was obtained and
SvNumberformat::InsertBlanks() effectively did nothing.
Could be triggered already by entering an '_' underscore character as
number format code, which is a place holder for blanks of the same width
as the following character, which there isn't then yet.
Change-Id: I0534e1417d4bd35e9e7ed4bd0170b9ea3b5fb575
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 2f2d412..172f8021 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -1926,8 +1926,8 @@ void SvNumberformat::GetOutputString(const OUString&
sString,
}
break;
case NF_SYMBOLTYPE_BLANK:
- InsertBlanks( sOutBuff, sOutBuff.getLength(),
- rInfo.sStrArray[i][1] );
+ if (rInfo.sStrArray[i].getLength() >= 2)
+ InsertBlanks( sOutBuff, sOutBuff.getLength(),
rInfo.sStrArray[i][1] );
break;
case NF_KEY_GENERAL : // #77026# "General" is the same as "@"
case NF_SYMBOLTYPE_DEL :
@@ -2267,8 +2267,8 @@ bool SvNumberformat::GetOutputString(double fNumber,
}
break;
case NF_SYMBOLTYPE_BLANK:
- InsertBlanks(sBuff, sBuff.getLength(),
- rInfo.sStrArray[i][1] );
+ if (rInfo.sStrArray[i].getLength() >= 2)
+ InsertBlanks(sBuff, sBuff.getLength(),
rInfo.sStrArray[i][1] );
break;
case NF_SYMBOLTYPE_STRING:
case NF_SYMBOLTYPE_CURRENCY:
@@ -2899,8 +2899,8 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber,
}
break;
case NF_SYMBOLTYPE_BLANK:
- InsertBlanks(sBuff, sBuff.getLength(),
- rInfo.sStrArray[i][1] );
+ if (rInfo.sStrArray[i].getLength() >= 2)
+ InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
break;
case NF_SYMBOLTYPE_STRING:
case NF_SYMBOLTYPE_CURRENCY:
@@ -3395,7 +3395,8 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber,
}
break;
case NF_SYMBOLTYPE_BLANK:
- InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
+ if (rInfo.sStrArray[i].getLength() >= 2)
+ InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1]
);
break;
case NF_SYMBOLTYPE_STRING:
case NF_SYMBOLTYPE_CURRENCY:
@@ -3688,8 +3689,8 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber,
}
break;
case NF_SYMBOLTYPE_BLANK:
- InsertBlanks( sBuff, sBuff.getLength(),
- rInfo.sStrArray[i][1] );
+ if (rInfo.sStrArray[i].getLength() >= 2)
+ InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1]
);
break;
case NF_SYMBOLTYPE_STRING:
case NF_SYMBOLTYPE_CURRENCY:
@@ -4335,7 +4336,8 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer&
sBuff, // number string
}
break;
case NF_SYMBOLTYPE_BLANK:
- k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] );
+ if (rInfo.sStrArray[j].getLength() >= 2)
+ k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] );
break;
case NF_SYMBOLTYPE_THSEP:
// Same as in ImpNumberFillWithThousands() above, do not insert
diff --git a/xmloff/source/style/xmlnumfe.cxx b/xmloff/source/style/xmlnumfe.cxx
index 235920d..121a381 100644
--- a/xmloff/source/style/xmlnumfe.cxx
+++ b/xmloff/source/style/xmlnumfe.cxx
@@ -1347,7 +1347,7 @@ void SvXMLNumFmtExport::ExportPart_Impl( const
SvNumberformat& rFormat, sal_uInt
{
aEmbeddedStr = *pElemStr;
}
- else
+ else if (pElemStr->getLength() >= 2)
{
SvNumberformat::InsertBlanks( aEmbeddedStr, 0,
(*pElemStr)[1] );
}
@@ -1419,7 +1419,8 @@ void SvXMLNumFmtExport::ExportPart_Impl( const
SvNumberformat& rFormat, sal_uInt
// (#i20396# the spaces may also be in embedded-text
elements)
OUString aBlanks;
- SvNumberformat::InsertBlanks( aBlanks, 0,
(*pElemStr)[1] );
+ if (pElemStr->getLength() >= 2)
+ SvNumberformat::InsertBlanks( aBlanks, 0,
(*pElemStr)[1] );
AddToTextElement_Impl( aBlanks );
}
break;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
