sw/source/filter/ww8/ww8scan.cxx | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)
New commits: commit ce204e444379d0fab21a8cf759df659ebafb5638 Author: Caolán McNamara <caol...@redhat.com> Date: Mon Nov 20 09:29:28 2017 +0000 ofz#4327 Integer-overflow Change-Id: I1a656c106b5944578c6c74b9e475349259865049 Reviewed-on: https://gerrit.libreoffice.org/44948 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index a561a702f324..4d3a5d50eff0 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -3529,8 +3529,23 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) if (nSmallest <= nLimitFC) { - WW8_CP nEndPos = nCpEnd - - (nLimitFC-nSmallest) / (bIsUnicode ? 2 : 1); + WW8_CP nCpDiff; + bFail = o3tl::checked_sub(nLimitFC, nSmallest, nCpDiff); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + continue; + } + if (bIsUnicode) + nCpDiff /= 2; + + WW8_CP nEndPos; + bFail = o3tl::checked_sub(nCpEnd, nCpDiff, nEndPos); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + continue; + } OSL_ENSURE(nEndPos >= p->nStartPos, "EndPos before StartPos");
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits