sw/source/core/table/swtable.cxx | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
New commits: commit 18b5a001cc5b306e1548fb70e610bdc1164cf4ca Author: Stephan Bergmann <sberg...@redhat.com> AuthorDate: Fri Feb 22 11:56:51 2019 +0100 Commit: Stephan Bergmann <sberg...@redhat.com> CommitDate: Fri Feb 22 15:01:34 2019 +0100 Avoid uncontrolled overflow in SwTable::GetBoxNum ...where bad input like "WRONG CELL NAME" (in PythonTest_sw_python's sw/qa/python/check_xtexttable.py) could wrap around to a valid but wrong nRet. Instead, return SAL_MAX_UINT16 upon overflow. At least the call to GetBoxNum in SwTable::GetTableBox (sw/source/core/table/swtable.cxx) with bFirstPart potentially true, assigning to nBox, then later checks if( nBox >= pBoxes->size() ) return nullptr; so returning SAL_MAX_UINT16 upon overflow appears to be the best choice. (Found with Clang's -fsanitize=implicit-signed-integer-truncation.) Change-Id: I12822a6bd4f0269adb14c04eefbd1cde4d288728 Reviewed-on: https://gerrit.libreoffice.org/68203 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sberg...@redhat.com> diff --git a/sw/source/core/table/swtable.cxx b/sw/source/core/table/swtable.cxx index 0f2b5aee412a..18050a1e0202 100644 --- a/sw/source/core/table/swtable.cxx +++ b/sw/source/core/table/swtable.cxx @@ -1291,6 +1291,8 @@ sal_uInt16 SwTable::GetBoxNum( OUString& rStr, bool bFirstPart, sal_Int32 nPos = 0; // the first one uses letters for addressing! bool bFirst = true; + sal_uInt32 num = 0; + bool overflow = false; while (nPos<rStr.getLength()) { sal_Unicode cChar = rStr[nPos]; @@ -1301,10 +1303,14 @@ sal_uInt16 SwTable::GetBoxNum( OUString& rStr, bool bFirstPart, if( bFirst ) bFirst = false; else - ++nRet; - nRet = nRet * 52 + cChar; + ++num; + num = num * 52 + cChar; + if (num > SAL_MAX_UINT16) { + overflow = true; + } ++nPos; } + nRet = overflow ? SAL_MAX_UINT16 : num; rStr = rStr.copy( nPos ); // Remove char from String } else _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits