core.git: Branch 'libreoffice-25-2' - sc/source

Mon, 09 Jun 2025 02:20:42 -0700 

 sc/source/ui/Accessibility/AccessibleCsvControl.cxx |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

New commits:
commit cd9d84d61bfa736f3dacdafd22040f975457b48c
Author:     Mike Kaganski <mike.kagan...@collabora.com>
AuthorDate: Wed Jun 4 08:17:25 2025 +0200
Commit:     Xisco Fauli <xiscofa...@libreoffice.org>
CommitDate: Mon Jun 9 11:20:15 2025 +0200

    Avoid reading out of bounds
    
    ScAccessibleCsvRuler::getTextRange was implemented using
    raw pointers and offsets; that would allow reading beyond
    the buffer end.
    
    Change-Id: I6acb696f540146b99953b272c2f70963d10f5b51
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/186161
    Reviewed-by: Mike Kaganski <mike.kagan...@collabora.com>
    Reviewed-by: Michael Weghorn <m.wegh...@posteo.de>
    Tested-by: Jenkins
    (cherry picked from commit f393f38aac87da33df563f04cb5d035a067238ba)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/186193
    Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>

diff --git a/sc/source/ui/Accessibility/AccessibleCsvControl.cxx 
b/sc/source/ui/Accessibility/AccessibleCsvControl.cxx
index 9852d4897e85..8280d9dcc51a 100644
--- a/sc/source/ui/Accessibility/AccessibleCsvControl.cxx
+++ b/sc/source/ui/Accessibility/AccessibleCsvControl.cxx
@@ -431,7 +431,7 @@ OUString SAL_CALL ScAccessibleCsvRuler::getTextRange( 
sal_Int32 nStartIndex, sal
     SolarMutexGuard aGuard;
     ensureAlive();
     ensureValidRange( nStartIndex, nEndIndex );
-    return OUString( maBuffer.getStr() + nStartIndex, nEndIndex - nStartIndex 
);
+    return OUString(std::u16string_view(maBuffer).substr(nStartIndex, 
nEndIndex - nStartIndex ));
 }
 
 TextSegment SAL_CALL ScAccessibleCsvRuler::getTextAtIndex( sal_Int32 nIndex, 
sal_Int16 nTextType )
@@ -664,7 +664,8 @@ void ScAccessibleCsvRuler::ensureValidRange( sal_Int32& 
rnStartIndex, sal_Int32&
 {
     if( rnStartIndex > rnEndIndex )
         ::std::swap( rnStartIndex, rnEndIndex );
-    if( (rnStartIndex < 0) || (rnEndIndex > implGetTextLength()) )
+    if ((rnStartIndex < 0) || (rnStartIndex > maBuffer.getLength())
+        || (rnEndIndex > implGetTextLength()) || (rnEndIndex > 
maBuffer.getLength()))
         throw IndexOutOfBoundsException();
 }

Reply via email to