writerfilter/source/dmapper/GraphicImport.cxx | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
New commits:
commit 39d364958447cd33a6e30dc9d2904ad94fd40aba
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Tue Aug 3 10:29:41 2021 +0200
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Tue Aug 3 11:49:24 2021 +0200
Avoid unsigned integer subtraction causing wrap-around
...to a too-large positive value, causing `instdir/program/soffice
--headless
--convert-to epub` of cloudon/File_1149.docx from the crash-testing corpus
to
fail under UBSan with
> writerfilter/source/dmapper/GraphicImport.cxx:562:27: runtime error:
7.73093e+11 is outside the range of representable values of type 'int'
> #0 in
writerfilter::dmapper::GraphicImport::lcl_correctWord2007EffectExtent(int) at
writerfilter/source/dmapper/GraphicImport.cxx:562:27
[...]
(where sal_uInt32 m_pImpl->getXSize() was 3731 and sal_uInt32
m_pImpl->getYSize() was 10583)
Change-Id: Id0ae9d6e46c977753d11cc2496ba5d240d3102bc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119926
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
diff --git a/writerfilter/source/dmapper/GraphicImport.cxx
b/writerfilter/source/dmapper/GraphicImport.cxx
index 8ed707c2917f..d7c842ea9d69 100644
--- a/writerfilter/source/dmapper/GraphicImport.cxx
+++ b/writerfilter/source/dmapper/GraphicImport.cxx
@@ -559,8 +559,9 @@ void GraphicImport::lcl_correctWord2007EffectExtent(const
sal_Int32 nMSOAngle)
sal_Int16 nAngleDeg = (nMSOAngle / 60000) % 180;
if (nAngleDeg >= 45 && nAngleDeg < 135)
{
- sal_Int32 nDiff = o3tl::convert((m_pImpl->getXSize() -
m_pImpl->getYSize()) / 2.0,
- o3tl::Length::mm100, o3tl::Length::emu);
+ sal_Int32 nDiff = o3tl::convert(
+ (double(m_pImpl->getXSize()) - double(m_pImpl->getYSize())) / 2.0,
+ o3tl::Length::mm100, o3tl::Length::emu);
if (m_pImpl->m_oEffectExtentLeft)
*m_pImpl->m_oEffectExtentLeft += nDiff;
if (m_pImpl->m_oEffectExtentRight)
