sw/source/filter/ww8/ww8scan.cxx | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
New commits:
commit baefc8a1d7f01fb4717db72854abc06649335397
Author: Caolán McNamara <caol...@redhat.com>
Date: Sun Oct 29 20:30:29 2017 +0000
ofz#3896 Integer-overflow
Change-Id: Ib7d3c8bd1a5db9f6b35e928743a701a9a95403ca
Reviewed-on: https://gerrit.libreoffice.org/44031
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index e2a2a87f9daa..3f5d39c8f3c8 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3346,8 +3346,33 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
bIsUnicode);
}
- nLimitFC = nBeginLimitFC +
- (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1);
+ WW8_CP nCpLen;
+ bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ pPieceIter->SetIdx(nOldPos);
+ return;
+ }
+
+ if (bIsUnicode)
+ {
+ bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ pPieceIter->SetIdx(nOldPos);
+ return;
+ }
+ }
+
+ bFail = o3tl::checked_add(nBeginLimitFC, nCpLen, nLimitFC);
+ if (bFail)
+ {
+ SAL_WARN("sw.ww8", "broken offset, ignoring");
+ pPieceIter->SetIdx(nOldPos);
+ return;
+ }
if (nOldEndPos <= nLimitFC)
{
@@ -3398,8 +3423,7 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
nFcStart,bIsUnicode );
}
- WW8_CP nCpLen;
- bool bFail = o3tl::checked_sub(nCpEnd, nCpStart,
nCpLen);
+ bFail = o3tl::checked_sub(nCpEnd, nCpStart,
nCpLen);
if (bFail)
{
SAL_WARN("sw.ww8", "broken offset, ignoring");
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
