sc/source/core/tool/interpr1.cxx | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit 7e9a105fc0a849d63e9ce12a521c58648742afa6
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Jan 4 17:19:47 2021 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Tue Nov 16 16:09:28 2021 +0100
ofz#29234 Integer-overflow
sc/source/core/tool/interpr1.cxx:9578:39: runtime error: signed integer
overflow: 1 + 2147483647 cannot be represented in type 'int'
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108677
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 52de00024e84c063ab292890256cda59fe259ef5)
Change-Id: I2975ae1daab826f10f0e52e7d7421ac8dcc9fffc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/125282
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
index 3d08ccfca5de..c66f0ac9e0c7 100644
--- a/sc/source/core/tool/interpr1.cxx
+++ b/sc/source/core/tool/interpr1.cxx
@@ -9181,6 +9181,8 @@ void ScInterpreter::ScMid()
OUString aStr = GetString().getString();
if ( nStart < 1 || nSubLen < 0 )
PushIllegalArgument();
+ else if (nStart > SAL_MAX_UINT16 || nSubLen > SAL_MAX_UINT16)
+ PushError(FormulaError::StringOverflow);
else
{
sal_Int32 nLen = aStr.getLength();
