sc/source/core/tool/interpr1.cxx | 2 ++
vcl/source/gdi/jobset.cxx | 7 +++++++
2 files changed, 9 insertions(+)
New commits:
commit 2b38ebfbbd8d6d702bb4f17837ddc458d18f00b3
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Jan 4 17:19:47 2021 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Tue Nov 16 10:25:03 2021 +0100
ofz#29234 Integer-overflow
sc/source/core/tool/interpr1.cxx:9578:39: runtime error: signed integer
overflow: 1 + 2147483647 cannot be represented in type 'int'
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108677
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 52de00024e84c063ab292890256cda59fe259ef5)
Change-Id: I2975ae1daab826f10f0e52e7d7421ac8dcc9fffc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/125230
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
index e375f1626ec5..0f37b4f9f35e 100644
--- a/sc/source/core/tool/interpr1.cxx
+++ b/sc/source/core/tool/interpr1.cxx
@@ -9505,6 +9505,8 @@ void ScInterpreter::ScMid()
OUString aStr = GetString().getString();
if ( nStart < 1 || nSubLen < 0 )
PushIllegalArgument();
+ else if (nStart > kScInterpreterMaxStrLen || nSubLen >
kScInterpreterMaxStrLen)
+ PushError(FormulaError::StringOverflow);
else
{
sal_Int32 nLen = aStr.getLength();
commit eaa833d053eda675fc49f1d59ba326b9e31e8155
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Wed Dec 30 21:19:15 2020 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Tue Nov 16 10:24:50 2021 +0100
ofz#29113 short read
Change-Id: I107d8abeac419ba4e70a5880054c9195c60464ad
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108527
Tested-by: Caolán McNamara <caol...@redhat.com>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit ab3829bf74667044d9b0f5b96903bbafda5171f6)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/125229
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
index b1ca8e3f80f7..c6641c14ef03 100644
--- a/vcl/source/gdi/jobset.cxx
+++ b/vcl/source/gdi/jobset.cxx
@@ -262,6 +262,13 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup&
rJobSetup )
if ( nSystem == JOBSET_FILE364_SYSTEM ||
nSystem == JOBSET_FILE605_SYSTEM )
{
+ if (nRead < sizeof(ImplOldJobSetupData) +
sizeof(Impl364JobSetupData))
+ {
+ SAL_WARN("vcl", "Parsing error: " <<
sizeof(ImplOldJobSetupData) + sizeof(Impl364JobSetupData) <<
+ " required, but " << nRead << " available");
+ return rIStream;
+ }
+
Impl364JobSetupData* pOldJobData =
reinterpret_cast<Impl364JobSetupData*>(pTempBuf.get() + sizeof(
ImplOldJobSetupData ));
sal_uInt16 nOldJobDataSize = SVBT16ToUInt16(
pOldJobData->nSize );
rJobData.SetSystem( SVBT16ToUInt16( pOldJobData->nSystem ) );
