[Libreoffice-commits] core.git: Branch 'libreoffice-7-3' - editeng/source

Tue, 11 Jan 2022 01:10:23 -0800 

 editeng/source/editeng/impedit3.cxx |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

New commits:
commit e1449eaf3b2b0bf4ebed44bbcf54e5e01d356465
Author:     Miklos Vajna <vmik...@collabora.com>
AuthorDate: Mon Jan 10 13:38:46 2022 +0100
Commit:     Xisco Fauli <xiscofa...@libreoffice.org>
CommitDate: Tue Jan 11 10:09:42 2022 +0100

    editeng: avoid writing past the end of of pLine->GetCharPosArray()
    
            Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault.
            0x00007ffff6df4951 in ?? () from /usr/lib64/libstdc++.so.6
            (gdb) bt 10
            #0  0x00007ffff6df4951 in  () at /usr/lib64/libstdc++.so.6
            #1  0x00007ffff6df5792 in __gnu_debug::_Error_formatter::_M_error() 
const () at /usr/lib64/libstdc++.so.6
            #2  0x00007ffff47384bf in std::__debug::vector<int, 
std::allocator<int> >::operator[](unsigned long) (this=0x6b3dca0, __n=7) at 
/usr/include/c++/7/debug/vector:417
            #3  0x00007ffff47b5440 in ImpEditEngine::ImpBreakLine(ParaPortion*, 
EditLine*, TextPortion const*, int, long, bool) (this=
                0x1ce0040, pParaPortion=0x206a010, pLine=0x6b3dca0, 
pPortion=0x6b3e480, nPortionStart=0, nRemainingWidth=5093, bCanHyphenate=false)
                at editeng/source/editeng/impedit3.cxx:2041
            #4  0x00007ffff47b1fb6 in ImpEditEngine::CreateLines(int, unsigned 
int) (this=0x1ce0040, nPara=0, nStartPosY=0)
                at editeng/source/editeng/impedit3.cxx:1352
            #5  0x00007ffff47ad0c2 in ImpEditEngine::FormatDoc() 
(this=0x1ce0040) at editeng/source/editeng/impedit3.cxx:387
            #6  0x00007ffff47bf516 in ImpEditEngine::FormatAndLayout(EditView*, 
bool) (this=0x1ce0040, pCurView=0x0, bCalledFromUndo=false)
                at editeng/source/editeng/impedit3.cxx:4190
            #7  0x00007ffff47be333 in ImpEditEngine::SetUpdateLayout(bool, 
EditView*, bool) (this=0x1ce0040, bUp=true, pCurView=0x0, bForceUpdate=false)
                at editeng/source/editeng/impedit3.cxx:3927
            #8  0x00007ffff46f059e in EditEngine::SetUpdateLayout(bool, bool) 
(this=0x1ce2b20, bUpdate=true, bRestoring=false)
                at editeng/source/editeng/editeng.cxx:1472
            #9  0x00007ffff48ce5e3 in Outliner::SetText(OutlinerParaObject 
const&) (this=0x1ce0cc0, rPObj=...) at editeng/source/outliner/outliner.cxx:586
            (More stack frames follow...)
            (gdb) frame 3
            #3  0x00007ffff47b5440 in ImpEditEngine::ImpBreakLine 
(this=0x1ce0040, pParaPortion=0x206a010, pLine=0x6b3dca0, pPortion=0x6b3e480, 
nPortionStart=0, nRemainingWidth=5093,
                bCanHyphenate=false) at editeng/source/editeng/impedit3.cxx:2041
            2041            pLine->GetCharPosArray()[ nPosInArray ] = 
rTP.GetSize().Width();
            (gdb) print pLine->GetCharPosArray()
            [Thread 0x7fffd2010700 (LWP 5008) exited]
            $1 = std::__debug::vector of length 7, capacity 7 = {707, 1414, 
2121, 2828, 3535, 4242, 4949}
            (gdb) print nPosInArray
            $2 = 7
    
    Change-Id: I3a8121c0c0a3b0949e91eb53c0468f7e629b146f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128223
    Reviewed-by: Miklos Vajna <vmik...@collabora.com>
    Tested-by: Jenkins
    (cherry picked from commit 56ded398c9c72810f20b9da0aa98097739423180)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128231
    Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>

diff --git a/editeng/source/editeng/impedit3.cxx 
b/editeng/source/editeng/impedit3.cxx
index c28e1eab7b00..a0e4eb43b913 100644
--- a/editeng/source/editeng/impedit3.cxx
+++ b/editeng/source/editeng/impedit3.cxx
@@ -1485,7 +1485,10 @@ bool ImpEditEngine::CreateLines( sal_Int32 nPara, 
sal_uInt32 nStartPosY )
             TextPortion& rTP = 
rParaPortion.GetTextPortions()[pLine->GetEndPortion()];
             sal_Int32 nPosInArray = pLine->GetEnd()-1-pLine->GetStart();
             tools::Long nNewValue = ( nPosInArray ? pLine->GetCharPosArray()[ 
nPosInArray-1 ] : 0 ) + n;
-            pLine->GetCharPosArray()[ nPosInArray ] = nNewValue;
+            if (o3tl::make_unsigned(nPosInArray) < 
pLine->GetCharPosArray().size())
+            {
+                pLine->GetCharPosArray()[ nPosInArray ] = nNewValue;
+            }
             rTP.GetSize().AdjustWidth(n );
         }
 
@@ -2038,7 +2041,10 @@ void ImpEditEngine::ImpBreakLine( ParaPortion* 
pParaPortion, EditLine* pLine, Te
         DBG_ASSERT( nBreakPos > pLine->GetStart(), "SplitTextPortion at the 
beginning of the line?" );
         sal_Int32 nPosInArray = nBreakPos - 1 - pLine->GetStart();
         rTP.GetSize().setWidth( ( nPosInArray && ( rTP.GetLen() > 1 ) ) ? 
pLine->GetCharPosArray()[ nPosInArray-1 ] : 0 );
-        pLine->GetCharPosArray()[ nPosInArray ] = rTP.GetSize().Width();
+        if (o3tl::make_unsigned(nPosInArray) < pLine->GetCharPosArray().size())
+        {
+            pLine->GetCharPosArray()[ nPosInArray ] = rTP.GetSize().Width();
+        }
     }
     else if ( bHyphenated )
     {

Reply via email to