starmath/source/mathml/mathmlattr.cxx | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-)
New commits: commit 1d4adcee1ba82cb8f02ac73be3e558d10dea8eda Author: Stephan Bergmann <sberg...@redhat.com> AuthorDate: Thu Sep 16 11:23:03 2021 +0200 Commit: Stephan Bergmann <sberg...@redhat.com> CommitDate: Thu Sep 16 13:00:40 2021 +0200 Increase accuracy of ParseMathMLUnsignedNumber Fraction result The new test from d5e55d204b71710eb5eb5d2c683dd6698626df3c "tdf#144319: sw_odfexport: Add unittest" started to cause UBSan failure during CppunitTest_sw_odfexport (<https://ci.libreoffice.org/job/lo_ubsan/2136/>), > /workdir/UnpackedTarball/boost/boost/rational.hpp:605:22: runtime error: signed integer overflow: 1073741824 * 2 cannot be represented in type 'int' > #0 0x2b450983594f in boost::rational<int>::operator/=(boost::rational<int> const&) /workdir/UnpackedTarball/boost/boost/rational.hpp:605:22 > #1 0x2b450982e216 in Fraction::operator/=(Fraction const&) /tools/source/generic/fract.cxx:224:7 > #2 0x2b45098312d3 in operator/(Fraction const&, Fraction const&) /tools/source/generic/fract.cxx:320:10 > #3 0x2b46066963d5 in (anonymous namespace)::lcl_CountBlanks(MathMLAttributeLengthValue const&, int*, int*) /starmath/source/mathml/mathmlimport.cxx:1497:30 > #4 0x2b46066943eb in (anonymous namespace)::SmXMLSpaceContext_Impl::startFastElement(int, com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList> const&) /starmath/source/mathml/mathmlimport.cxx:1526:25 [...] Formula-14/content.xml in sw/qa/extras/odfexport/data/tdf144319.odt contains width="0.444em", which resulted in the inaccurate Fraction 476741369/1073741824 since 67d83e40e2c4f3862c50e6abeabfc24a75119fc8 "speedup rational_FromDouble" (which computes dVal=4.76741e+08 and nDen=1073741824; where before that speedup it computed dVal=4.44e+08 and nDen=1000000000, which would have resulted in the accurate Fraction 111/250). The excessively large denominator (1073741824 = std::numeric_limits<sal_Int32>::max()/2 + 1) then caused overflow later on, as shown above. Change-Id: I221549528e4fa155e10697d218ec76bf678e8b2f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122186 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sberg...@redhat.com> diff --git a/starmath/source/mathml/mathmlattr.cxx b/starmath/source/mathml/mathmlattr.cxx index 008f8e2a81f6..7da7f947a8c6 100644 --- a/starmath/source/mathml/mathmlattr.cxx +++ b/starmath/source/mathml/mathmlattr.cxx @@ -9,6 +9,8 @@ #include <mathmlattr.hxx> +#include <o3tl/safeint.hxx> + #include <unordered_map> static sal_Int32 ParseMathMLUnsignedNumber(const OUString& rStr, Fraction& rUN) @@ -16,6 +18,9 @@ static sal_Int32 ParseMathMLUnsignedNumber(const OUString& rStr, Fraction& rUN) auto nLen = rStr.getLength(); sal_Int32 nDecimalPoint = -1; sal_Int32 nIdx; + sal_Int64 nom = 0; + sal_Int64 den = 1; + bool validNomDen = true; for (nIdx = 0; nIdx < nLen; nIdx++) { auto cD = rStr[nIdx]; @@ -28,11 +33,29 @@ static sal_Int32 ParseMathMLUnsignedNumber(const OUString& rStr, Fraction& rUN) } if (cD < u'0' || u'9' < cD) break; + if (validNomDen + && (o3tl::checked_multiply(nom, sal_Int64(10), nom) + || o3tl::checked_add(nom, sal_Int64(cD - u'0'), nom) + || (nDecimalPoint >= 0 && o3tl::checked_multiply(den, sal_Int64(10), den)))) + { + validNomDen = false; + } } if (nIdx == 0 || (nIdx == 1 && nDecimalPoint == 0)) return -1; - rUN = Fraction(rStr.copy(0, nIdx).toDouble()); + // If the input "xx.yyy" can be represented with nom = xx*10^n + yyy and den = 10^n in sal_Int64 + // (where n is the length of "yyy"), then use that to create an accurate Fraction (and TODO: we + // could even ignore trailing "0" characters in "yyy", for a smaller n and thus a greater chance + // of validNomDen); if not, use the less accurate approach of creating a Fraction from double: + if (validNomDen) + { + rUN = Fraction(nom, den); + } + else + { + rUN = Fraction(rStr.copy(0, nIdx).toDouble()); + } return nIdx; }