sc/source/core/tool/address.cxx | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
New commits:
commit b37942159448fa902ed0b1c635e9c556872492bd
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue Feb 4 19:31:40 2025 +0000
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Tue Feb 4 21:58:39 2025 +0100
ofz#394329881 Integer-overflow
Change-Id: Ie1cd71c72a7a2159c9c4592f3e39e3efb8ac5b2f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/181141
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/sc/source/core/tool/address.cxx b/sc/source/core/tool/address.cxx
index a7eb79023d94..4c6453cf53e4 100644
--- a/sc/source/core/tool/address.cxx
+++ b/sc/source/core/tool/address.cxx
@@ -693,7 +693,6 @@ static const sal_Unicode* lcl_r1c1_get_col( const
ScSheetLimits& rSheetLimits,
ScAddress* pAddr, ScRefFlags*
nFlags )
{
const sal_Unicode *pEnd;
- sal_Int64 n;
bool isRelative;
if( p[0] == '
@@ -703,7 +702,7 @@ static const sal_Unicode* lcl_r1c1_get_col( const
ScSheetLimits& rSheetLimits,
isRelative = *p == '[';
if( isRelative )
p++;
- n = sal_Unicode_strtol( p, &pEnd );
+ sal_Int64 n = sal_Unicode_strtol( p, &pEnd );
if( nullptr == pEnd )
return nullptr;
@@ -712,22 +711,31 @@ static const sal_Unicode* lcl_r1c1_get_col( const
ScSheetLimits& rSheetLimits,
if( isRelative )
return nullptr;
n = rDetails.nCol;
+
+ if (n < 0 || n >= rSheetLimits.GetMaxColCount())
+ return nullptr;
}
else if( isRelative )
{
if( *pEnd != ']' )
return nullptr;
n += rDetails.nCol;
+
+ if (n < 0 || n >= rSheetLimits.GetMaxColCount())
+ return nullptr;
+
pEnd++;
}
else
{
*nFlags |= ScRefFlags::COL_ABS;
+
+ if (n <= 0 || n > rSheetLimits.GetMaxColCount())
+ return nullptr;
+
n--;
}
- if( n < 0 || n >= rSheetLimits.GetMaxColCount())
- return nullptr;
pAddr->SetCol( static_cast<SCCOL>( n ) );
*nFlags |= ScRefFlags::COL_VALID;
