drawinglayer/source/tools/emfphelperdata.cxx | 31 - hwpfilter/source/hwpfile.cxx | 2 hwpfilter/source/hwpfile.h | 4 lotuswordpro/source/filter/lwpdrawobj.cxx | 79 +-- sc/source/filter/lotus/op.cxx | 11 shell/source/win32/SysShExec.cxx | 2 sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf | 347 +++++++++++++++ sw/qa/extras/layout/layout.cxx | 5 sw/source/core/layout/tabfrm.cxx | 1 sw/source/filter/ww8/wrtw8sty.cxx | 28 - sw/source/filter/ww8/wrtww8.hxx | 4 vcl/source/fontsubset/sft.cxx | 2 vcl/source/gdi/svmconverter.cxx | 20 writerfilter/source/dmapper/DomainMapperTableManager.cxx | 2 14 files changed, 448 insertions(+), 90 deletions(-)
New commits: commit 3a58089adb8e3655cb0632061576f238febe9f33 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Fri Mar 4 10:38:50 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:46:58 2022 +0200 clamp and add some logging like SvmReader LIBREOFFICE-OWMTGGWJ Change-Id: I8f744e1ab2684a0f0995abcc3e753a684a3b970a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130982 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 19add15932e579c931480eed42eeea52d0551897) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131369 Tested-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 8727f47611af8dfb5ac186cc47e7b38741ccfb76) diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx index c1d40686a50a..39648b756029 100644 --- a/vcl/source/gdi/svmconverter.cxx +++ b/vcl/source/gdi/svmconverter.cxx @@ -240,6 +240,23 @@ namespace nFollowingActionCount = remainingActions; return std::min(remainingActions, nFollowingActionCount); } + + void ClampRange(const OUString& rStr, sal_Int32& rIndex, sal_Int32& rLength) + { + const sal_Int32 nStrLength = rStr.getLength(); + + if (rIndex < 0 || rIndex > nStrLength) + { + SAL_WARN("vcl.gdi", "inconsistent offset"); + rIndex = nStrLength; + } + + if (rLength < 0 || rLength > nStrLength - rIndex) + { + SAL_WARN("vcl.gdi", "inconsistent len"); + rLength = nStrLength - rIndex; + } + } } #define LF_FACESIZE 32 @@ -681,6 +698,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) OUString aStr(OStringToOUString(aByteStr, eActualCharSet)); if ( nUnicodeCommentActionNumber == i ) ImplReadUnicodeComment( nUnicodeCommentStreamPos, rIStm, aStr ); + ClampRange(aStr, nIndex, nLen); rMtf.AddAction( new MetaTextAction( aPt, aStr, nIndex, nLen ) ); } @@ -771,6 +789,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) } if ( nUnicodeCommentActionNumber == i ) ImplReadUnicodeComment( nUnicodeCommentStreamPos, rIStm, aStr ); + ClampRange(aStr, nIndex, nLen); rMtf.AddAction( new MetaTextArrayAction( aPt, aStr, pDXAry.get(), nIndex, nLen ) ); } @@ -796,6 +815,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) OUString aStr(OStringToOUString(aByteStr, eActualCharSet)); if ( nUnicodeCommentActionNumber == i ) ImplReadUnicodeComment( nUnicodeCommentStreamPos, rIStm, aStr ); + ClampRange(aStr, nIndex, nLen); rMtf.AddAction( new MetaStretchTextAction( aPt, nWidth, aStr, nIndex, nLen ) ); } commit c95e7f73807eee6ac6fbc7a2362b80bcaf8d0c77 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Tue Mar 1 11:45:23 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:46:22 2022 +0200 protect frame from triggering deleting itself LIBREOFFICE-N4LA0OHZ Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130766 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit ee2a192923bf709d05c174848e7054cd411b205a) (cherry picked from commit 3d3c6462eeef581af2b936071c3ef432858b04a5) (cherry picked from commit 503d84cabb68233a12a3a9602253f4345be86ad7) Change-Id: I0d24277665a317f047b286fe0f0878b3814ded65 diff --git a/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf new file mode 100755 index 000000000000..47d284aa5753 --- /dev/null +++ b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf @@ -0,0 +1,347 @@ +{\rtf1\ansi\ansicpg1252\deff0 +{\fontttbl +\f0\froman\fcharset0 Times; +\f1\fswiss\fcharset0 Helvetica; +\f2\fmodern\fcharset0 Courier; +\f3\ftech\fcharset2 S�mbol; +} +{]colortbl +; +\red127\green255\blue212; +\red0\green0\blue0; +\red0\green0\blue255; +\red25\green0\blue255; +\red190\green190\blue190; +\red0\green255\blue0; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red50\green205\blue50; +\red176\green48\blue96; +\red0\green0\blue128; +\red85\green107\blue47; +\red160\green32\blue240; +\red255\green0\blue0; +\red192\green-1733928082104\blue192; +\red0\green128\blue128; +\red255\green255\blue255; +\red255\green255\blue0; +} +{\info +{\*\userprops +{\propname creator}\proptype30 +{\staticval XMLmind FO Converter} +} +} +\facingp\masgmirror\fet0\ftnbj +\sectd +\pghsxn15840\pgwsxn12240 +\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440J\margmirsxn +\headery720 +\footery720 +\titlepg +\pgnrestart\pgnstarts1|pgndec +{\headerr +\trowd\trleft0 +clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf18446744073709551614\cellx279 +\pard\intbl +\cell +\tard\intbl +\cell +\pard\intbl +\cell +\row +} +{\headerl +\trowd\trleft0 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\�ellx186 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl +\cell +\pard\intbl +\cell +\row +} +{\headerf +} +{\footerr +\trowd\trleft0 +\clvertalb +\clbrdrT\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10Lbrdrcf2\cellx186 +\clvertalb +\clbrdrt\brdvs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl +\cell +\pard\intbl +\cell +\row +} +{footerl +\trowd\trleft0 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10\brd2cf2\cellx186 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\row +\pard\intbl +\cell +\pard\intbl +\cell +\row +} +{\footerf +} +{\*\bkmkstart id2754642} +{\*\bkmkend i`2754642} +\pard\qect +\sectd +\pghsxn1\pgwsxn12240 +\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440 +\margmirsxn +\headery720\footery720 +\titlepg +\pgncont\pgnlcrm +{\headerr +\trowd\trleft0 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalt +^clbrdrb\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl +\cell +\pard\intbl +\cell +\row +} +{\headerl +\trowd\trleft0 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl +\cell +\pard\intbl +\cell +\row +} +{\headerf +\trkwd\trleft0 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalt +\clbrdrb\brdrs\brdrw10\b�drcf8\cellx279 +\pard\intbl +\cell +\pard\intbl +\cell +\pard\intbl +\cell +\row +} +{\footerr +\trowd\trleft0 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186 +\cdrertal�VQbdqomA +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl\qc +{\plain\f0\fs20\cf2 +\chpgn +} +\cell +\pard\intbl +\cell +\row +} +{\footerl +\trowd\trleft0 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf3\cellx186 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl\qc +{\plain\f0\fs20|cf2 +\chpgn +} +\cell +\pard\intbl +\cell +\row +} +{\footerf +\trowd\trleft0 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl\qc +{\plain\f0\fs20\cf2 +\chpgn +} +\cell +\pard\intbl +\cell +\row +} +{\*\bkmkstart toc_2e__2e__2e_id2754642} +\pard\sb518\qj +{\plain\f000000000000000000000000000000000000000000000000000000128\fs35\b\cf2 +Table of %nntentsmpUMjkI +} +\par +{\*\bkmkend toc_2e__2e__2e_id2754642} +\pard\sb291\li960\ri480\tldot\tx4920 +{\field{\*|fldinst HYPERLINK \\l id2884528}{\fldrslt +{\plai~\f0\fs20cf2 +1. +} +}} +{\plain\f0\fs20\cf2 + +} +{\plain\f0\fs20\cf2 +\tab +} +{\plain\f0\fs20\cf2 + +} +{\field{\*\fldinst HYPERLINK \\n id2884528}{\fldrslt +{\plain\f0\fs20\cf2 +{\field{\*\fldinst PAGEREF id2884528}{\fldrslt 0}} +} +}} +\par +\pard\sect +\sectd +\pghsxn15840\pgwsxn12240 +\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440 +\margmirsxn +\headery720 +\footery720 +\titlepg +\pgnrestart\pgnstarts1\pgndec +{\headerr +\trowd\trleft0 +\clvertalt +\clbrdrb�brdrs\brdrw10\brdrcf2\cellx93 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalt +\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl +\cell +\pard\intbl +\cell +\rou +} +{\footarl +\trowd\trleft0 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186 +mkend toc_2e__2e__2e_id2754642} +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl\qc +{\%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain\f0\fs20\cf2 +\chpgn +} +Xcell +\pard\intbl +\cell +\row +} +{\footerf +\trowd\trleft0 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186 +\clvertalb +\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279 +\pard\intbl +\cell +\pard\intbl\qc +{\plain\f0\fs20\cf2 +\chpgn +} +\cell +\pard\intbl +\cell +\row +} +\par} +\par} +\row +kbkmkend id2884--188884712918700} +\par} \ No newline at end of file diff --git a/sw/qa/extras/layout/layout.cxx b/sw/qa/extras/layout/layout.cxx index ec568d69f767..33c306934f44 100644 --- a/sw/qa/extras/layout/layout.cxx +++ b/sw/qa/extras/layout/layout.cxx @@ -57,6 +57,7 @@ public: void testTdf109137(); void testForcepoint72(); void testForcepoint76(); + void testN4LA0OHZ(); void testTdf118058(); void testTdf117188(); void testTdf117187(); @@ -97,6 +98,7 @@ public: CPPUNIT_TEST(testTdf109137); CPPUNIT_TEST(testForcepoint72); CPPUNIT_TEST(testForcepoint76); + CPPUNIT_TEST(testN4LA0OHZ); CPPUNIT_TEST(testTdf118058); CPPUNIT_TEST(testTdf117188); CPPUNIT_TEST(testTdf117187); @@ -2580,6 +2582,9 @@ void SwLayoutWriter::testForcepoint72() { createDoc("forcepoint72-1.rtf"); } //just care it doesn't crash/assert void SwLayoutWriter::testForcepoint76() { createDoc("forcepoint76-1.rtf"); } +//just care it doesn't crash/assert +void SwLayoutWriter::testN4LA0OHZ() { createDoc("LIBREOFFICE-N4LA0OHZ.rtf"); } + void SwLayoutWriter::testTdf118058() { SwDoc* pDoc = createDoc("tdf118058.fodt"); diff --git a/sw/source/core/layout/tabfrm.cxx b/sw/source/core/layout/tabfrm.cxx index a379e71dbaed..0e7c5a8adc29 100644 --- a/sw/source/core/layout/tabfrm.cxx +++ b/sw/source/core/layout/tabfrm.cxx @@ -2078,6 +2078,7 @@ void SwTabFrame::MakeAll(vcl::RenderContext* pRenderContext) } SwFootnoteBossFrame *pOldBoss = bFootnotesInDoc ? FindFootnoteBossFrame( true ) : nullptr; bool bReformat; + SwFrameDeleteGuard g(this); if ( MoveBwd( bReformat ) ) { aRectFnSet.Refresh(this); commit 5a235e4d9801babae2965d19a5d40c60268a3e9b Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Fri Feb 25 12:33:13 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:42:58 2022 +0200 lastPoint might be 0xFFFF LIBREOFFICE-KYYAZMB9 Change-Id: Ic0d95bd39a01dc1e5e0fec83dcc2c40b3f23b747 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130462 Tested-by: Jenkins Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org> (cherry picked from commit 21ea1eacd214dbaac8d0ce7f437580d535871415) (cherry picked from commit 1f3e7bc9e47b83f009b8085effa61467101aa102) diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 9262c2bca365..bb0f008c7b0e 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -412,7 +412,7 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf, sal_uInt32 glyphID, Contr const sal_uInt8* p = ptr + nOffset; const sal_uInt32 nBytesRemaining = nTableSize - nOffset; - const sal_uInt16 palen = lastPoint+1; + const sal_uInt32 palen = lastPoint+1; //at a minimum its one byte per entry if (palen > nBytesRemaining || lastPoint > nBytesRemaining-1) commit 5efab2e982890349a29f3ab5fa0944760e26e145 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Tue Mar 1 10:39:34 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:42:26 2022 +0200 fail more gracefully if m_aTmpPosition is empty LIBREOFFICE-N4LA0OHZ Change-Id: I7f863151f753ad5605c4f1f280cfd79aa4c6bce4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130772 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 02837024ea8d3d52c92420858327b309f2e96487) (cherry picked from commit 9fc1be2594ceac46e9a769d7ee2a2004869603ac) diff --git a/writerfilter/source/dmapper/DomainMapperTableManager.cxx b/writerfilter/source/dmapper/DomainMapperTableManager.cxx index b698fabe0c44..99ebfa11619f 100644 --- a/writerfilter/source/dmapper/DomainMapperTableManager.cxx +++ b/writerfilter/source/dmapper/DomainMapperTableManager.cxx @@ -541,6 +541,8 @@ void DomainMapperTableManager::endOfRowAction() // Compare the table position with the previous ones. We may need to split // into two tables if those are different. We surely don't want to do anything // if we don't have any row yet. + if (m_aTmpPosition.empty()) + throw std::out_of_range("row without a position"); TablePositionHandlerPtr pTmpPosition = m_aTmpPosition.back(); TablePropertyMapPtr pTablePropMap = m_aTmpTableProperties.back( ); TablePositionHandlerPtr pCurrentPosition = m_aTablePositions.back(); commit 92f0aeaac8736e5e44b301fa90c07a5614664be1 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Mon Feb 28 09:45:55 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:41:57 2022 +0200 check if cast is to the right type LIBREOFFICE-311XVJ95 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130670 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit b44bd9ef8e2efdb66558917200e1f179b9db1c58) Change-Id: I159f516daafad3e4088677fe2c8c6f5423b3e264 (cherry picked from commit f9350f9a8404fd9eb5b6963022f0069e89ddd061) diff --git a/drawinglayer/source/tools/emfphelperdata.cxx b/drawinglayer/source/tools/emfphelperdata.cxx index 6e4859f0bad7..0a26aff9ef54 100644 --- a/drawinglayer/source/tools/emfphelperdata.cxx +++ b/drawinglayer/source/tools/emfphelperdata.cxx @@ -350,7 +350,7 @@ namespace emfplushelper } else // we use a pen { - const EMFPPen* pen = static_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get()); + const EMFPPen* pen = dynamic_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get()); if (pen) { color = pen->GetColor(); @@ -535,7 +535,7 @@ namespace emfplushelper } else // use Brush { - EMFPBrush* brush = static_cast<EMFPBrush*>( maEMFPObjects[brushIndexOrColor & 0xff].get() ); + EMFPBrush* brush = dynamic_cast<EMFPBrush*>( maEMFPObjects[brushIndexOrColor & 0xff].get() ); SAL_INFO("drawinglayer", "EMF+\t Fill polygon, brush slot: " << brushIndexOrColor << " (brush type: " << (brush ? brush->GetType() : -1) << ")"); // give up in case something wrong happened @@ -1033,7 +1033,11 @@ namespace emfplushelper rMS.ReadUInt32(brushIndexOrColor); SAL_INFO("drawinglayer", "EMF+ FillRegion slot: " << index); - EMFPPlusFillPolygon(static_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get())->regionPolyPolygon, flags & 0x8000, brushIndexOrColor); + EMFPRegion* region = dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get()); + if (region) + EMFPPlusFillPolygon(region->regionPolyPolygon, flags & 0x8000, brushIndexOrColor); + else + SAL_WARN("drawinglayer.emf", "EMF+\tEmfPlusRecordTypeFillRegion missing region"); } break; case EmfPlusRecordTypeDrawEllipse: @@ -1210,9 +1214,10 @@ namespace emfplushelper SAL_INFO("drawinglayer", "EMF+\tTODO: use image attributes"); // For DrawImage and DrawImagePoints, source unit of measurement type must be 1 pixel - if (sourceUnit == UnitTypePixel && maEMFPObjects[flags & 0xff].get()) + if (EMFPImage* image = sourceUnit == UnitTypePixel ? + dynamic_cast<EMFPImage*>(maEMFPObjects[flags & 0xff].get()) : + nullptr) { - EMFPImage& image = *static_cast<EMFPImage *>(maEMFPObjects[flags & 0xff].get()); float sx, sy, sw, sh; ReadRectangle(rMS, sx, sy, sw, sh); ::tools::Rectangle aSource(Point(sx, sy), Size(sw, sh)); @@ -1262,9 +1267,9 @@ namespace emfplushelper aDstPoint.getX(), aDstPoint.getY()); - if (image.type == ImageDataTypeBitmap) + if (image->type == ImageDataTypeBitmap) { - BitmapEx aBmp(image.graphic.GetBitmapEx()); + BitmapEx aBmp(image->graphic.GetBitmapEx()); aBmp.Crop(aSource); Size aSize(aBmp.GetSizePixel()); SAL_INFO("drawinglayer", "EMF+\t bitmap size: " << aSize.Width() << "x" << aSize.Height()); @@ -1278,9 +1283,9 @@ namespace emfplushelper SAL_INFO("drawinglayer", "EMF+\t warning: empty bitmap"); } } - else if (image.type == ImageDataTypeMetafile) + else if (image->type == ImageDataTypeMetafile) { - GDIMetaFile aGDI(image.graphic.GetGDIMetaFile()); + GDIMetaFile aGDI(image->graphic.GetGDIMetaFile()); aGDI.Clip(aSource); mrTargetHolders.Current().append( o3tl::make_unique<drawinglayer::primitive2d::MetafilePrimitive2D>(aTransformMatrix, aGDI)); @@ -1314,7 +1319,7 @@ namespace emfplushelper // get the stringFormat from the Object table ( this is OPTIONAL and may be nullptr ) const EMFPStringFormat *stringFormat = dynamic_cast<EMFPStringFormat*>(maEMFPObjects[formatId & 0xff].get()); // get the font from the flags - const EMFPFont *font = static_cast< EMFPFont* >( maEMFPObjects[flags & 0xff].get() ); + const EMFPFont *font = dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get()); if (!font) { break; @@ -1680,7 +1685,7 @@ namespace emfplushelper SAL_INFO("drawinglayer", "EMF+ SetClipPath combine mode: " << combineMode); SAL_INFO("drawinglayer", "EMF+\tpath in slot: " << (flags & 0xff)); - EMFPPath *path = static_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get()); + EMFPPath *path = dynamic_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get()); if (!path) { break; @@ -1697,7 +1702,7 @@ namespace emfplushelper int combineMode = (flags >> 8) & 0xf; SAL_INFO("drawinglayer", "EMF+ SetClipRegion"); SAL_INFO("drawinglayer", "EMF+\tregion in slot: " << (flags & 0xff) << " combine mode: " << combineMode); - EMFPRegion *region = static_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get()); + EMFPRegion *region = dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get()); if (!region) { break; @@ -1765,7 +1770,7 @@ namespace emfplushelper } // get the font from the flags - EMFPFont *font = static_cast< EMFPFont* >( maEMFPObjects[flags & 0xff].get() ); + EMFPFont *font = dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get()); if (!font) { break; commit 8bade2aa2790f885290db3f2ca5c688dfdc3a0f0 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Mon Feb 28 09:15:10 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:34:58 2022 +0200 ensure null terminator LIBREOFFICE-WB8DT2Q9 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130668 Reviewed-by: Michael Stahl <michael.st...@allotropia.de> Tested-by: Jenkins (cherry picked from commit 4b6956ca146f25b746f63c176b377d3c15d204ff) Change-Id: I98529325bbd3ff475ba84b4991eb17240440df4b (cherry picked from commit 918c4a49fa841f0d234b18234d946684fe6378af) diff --git a/sc/source/filter/lotus/op.cxx b/sc/source/filter/lotus/op.cxx index c6302eb90988..3996737053a8 100644 --- a/sc/source/filter/lotus/op.cxx +++ b/sc/source/filter/lotus/op.cxx @@ -588,14 +588,9 @@ void OP_SheetName123(LotusContext& rContext, SvStream& rStream, sal_uInt16 nLeng SCTAB nSheetNum = static_cast<SCTAB>(nDummy); rContext.pDoc->MakeTable(nSheetNum); - ::std::vector<sal_Char> sSheetName; - sSheetName.reserve(nLength-4); - for (sal_uInt16 i = 4; i < nLength; ++i) - { - sal_Char c; - rStream.ReadChar( c ); - sSheetName.push_back(c); - } + const size_t nStrLen = nLength - 4; + std::vector<sal_Char> sSheetName(nStrLen + 1); + sSheetName[rStream.ReadBytes(sSheetName.data(), nStrLen)] = 0; if (!sSheetName.empty()) { commit f93c3cb62b5bd1f560008b15cb13cd8f34dcd02c Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Tue Feb 22 16:09:53 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:34:21 2022 +0200 keep paragraph's that failed to load until import is complete LIBREOFFICE-509JU93T Change-Id: I526edb182fed4fa023cce58e78a650a7c2046ed3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130326 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 32e8d3e45698a3cc09f66460b460db1d10ac50b5) (cherry picked from commit 0635bbb035940dcedb17713a958f81265d69e67e) diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx index 2ceefc481c2f..9599aaa46ded 100644 --- a/hwpfilter/source/hwpfile.cxx +++ b/hwpfilter/source/hwpfile.cxx @@ -241,6 +241,7 @@ void HWPFile::ReadParaList(std::vector < HWPPara* > &aplist) aplist.push_back(spNode.release()); spNode.reset( new HWPPara ); } + pfailedlist.push_back(std::move(spNode)); } void HWPFile::ReadParaList(std::vector< std::unique_ptr<HWPPara> > &aplist, unsigned char flag) @@ -274,6 +275,7 @@ void HWPFile::ReadParaList(std::vector< std::unique_ptr<HWPPara> > &aplist, unsi aplist.push_back(std::move(spNode)); spNode.reset( new HWPPara ); } + pfailedlist.push_back(std::move(spNode)); } void HWPFile::TagsRead() diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h index 88e2151a5c9a..539c1b401c45 100644 --- a/hwpfilter/source/hwpfile.h +++ b/hwpfilter/source/hwpfile.h @@ -284,6 +284,10 @@ class DLLEXPORT HWPFile std::vector<std::unique_ptr<ColumnInfo>> columnlist; // paragraph list std::vector<std::unique_ptr<HWPPara>> plist; + // keep paragraph's that failed to load until + // import is complete to avoid dangling references + // elsewhere + std::vector<std::unique_ptr<HWPPara>> pfailedlist; // floating box list std::vector<FBox*> blist; // embedded picture list(tag datas) commit e33561ec714b90a89ef44559477e71cc7fc5a051 Author: Renwa Hiwa <renwa...@gmail.com> AuthorDate: Tue Feb 22 09:36:29 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:34:00 2022 +0200 Better handling of msi LIBREOFFICE-SK4E5D8N Change-Id: I44f25a47ab6ffeb9d2b679874c8c96af1319eb2c Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130317 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit ccaabe8e8100a3a0600456c5a65221ca2b263c95) (cherry picked from commit aa993b7667136ff858a7c8d6f3d1bac8f255151a) diff --git a/shell/source/win32/SysShExec.cxx b/shell/source/win32/SysShExec.cxx index cc035c45a2d9..c2f35dc486e9 100644 --- a/shell/source/win32/SysShExec.cxx +++ b/shell/source/win32/SysShExec.cxx @@ -412,7 +412,7 @@ void SAL_CALL CSysShExec::execute( const OUString& aCommand, const OUString& aPa if (!(checkExtension(ext, env) && checkExtension( ext, - ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.CLASS;" + ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.MSI;.PY;.CLASS;" ".JAR;.APPLICATION;.LNK;.SCR"))) { throw css::lang::IllegalArgumentException( commit b7b28c8a81b24aff5670041fef371bb53436288a Author: zhutyra <zhutyra> AuthorDate: Tue Feb 1 14:07:26 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:33:22 2022 +0200 ensure bounds checking LIBREOFFICE-SBQ5TJRS Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e) (cherry picked from commit b268215d10f7da6d01c223b260970198c00cb610) diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 917a62d3923b..a0d5ef65d360 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1352,21 +1352,20 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( m_aBmpRec.nTranslation ); m_pStream->ReadUInt16( m_aBmpRec.nRotation ); + // 20 == length of draw-specific fields. if (m_aObjHeader.nRecLen < 20) throw BadRead(); - // 20 == length of draw-specific fields. - // 14 == length of bmp file header. - m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14; + sal_uInt64 nBmpPos = m_pStream->Tell(); + sal_uInt64 nBmpLen = + std::min<sal_uInt64>(m_aObjHeader.nRecLen - 20, m_pStream->remainingSize()); BmpInfoHeader2 aInfoHeader2; m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen ); - if (!m_pStream->good()) + if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen) throw BadRead(); - m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] ); - sal_uInt32 N; sal_uInt32 rgbTableSize; @@ -1391,7 +1390,7 @@ void LwpDrawBitmap::Read() rgbTableSize = 3 * (1 << N); } } - else + else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2)) { m_pStream->ReadUInt32( aInfoHeader2.nWidth ); m_pStream->ReadUInt32( aInfoHeader2.nHeight ); @@ -1406,8 +1405,14 @@ void LwpDrawBitmap::Read() { rgbTableSize = 4 * (1 << N); } - } + else + { + throw BadRead(); + } + + m_aBmpRec.nFileSize = static_cast<sal_uInt32>(nBmpLen + 14); + m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] ); sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize; m_pImageData[0] = 'B'; @@ -1425,50 +1430,10 @@ void LwpDrawBitmap::Read() m_pImageData[12] = static_cast<sal_uInt8>(nOffBits >> 16); m_pImageData[13] = static_cast<sal_uInt8>(nOffBits >> 24); - sal_uInt32 nDIBRemaining; sal_uInt8* pPicData = m_pImageData.get(); - if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader)) - { - m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen); - m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 8); - m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 16); - m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 24); - m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth); - m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8); - m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nHeight); - m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8); - m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes); - m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8); - m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount); - m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8); - - nDIBRemaining = m_aBmpRec.nFileSize - 26; - pPicData += 26*sizeof(sal_uInt8); - } - else - { - m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen); - m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 8); - m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 16); - m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 24); - m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth); - m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8); - m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 16); - m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 24); - m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nHeight); - m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8); - m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 16); - m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 24); - m_pImageData[26] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes); - m_pImageData[27] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8); - m_pImageData[28] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount); - m_pImageData[29] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8); - - nDIBRemaining = m_aBmpRec.nFileSize - 30; - pPicData += 30*sizeof(sal_uInt8); - } - if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining)) + m_pStream->Seek(nBmpPos); + if (nBmpLen != m_pStream->ReadBytes(pPicData + 14, nBmpLen)) throw BadRead(); } commit 37cad79d9fbb1b645e9c7c33695dd5ef5fe626fa Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Thu Jan 13 16:57:48 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:32:33 2022 +0200 ofz#43577 valid reclen must be >= 20 Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit 444477a07bcaf59181dbbc719b913566091deadc) ofz: Use-of-uninitialized-value Change-Id: I6b768b80d972c5379005efecfb803463ca648b4b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128644 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit 7b37a1a5144a3a4c8b0803b7e2da81e9e108bf66) ofz: Undefined-Shift Change-Id: Ib935359071ef9e390aa3d6c9713ed48241ad18e6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129066 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit e863b90a0e5fc90c3b824e4b0012f9389b87a3ac) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129183 Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 7c8b41bc322720dc9434fbef1f10a6740913165e) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129416 Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de> Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de> (cherry picked from commit 7664ec93edc190ae0bc18b5793763fde5cec8d62) diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 6dc6fb2b9220..917a62d3923b 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1352,14 +1352,21 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( m_aBmpRec.nTranslation ); m_pStream->ReadUInt16( m_aBmpRec.nRotation ); + if (m_aObjHeader.nRecLen < 20) + throw BadRead(); + // 20 == length of draw-specific fields. // 14 == length of bmp file header. m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14; - m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] ); BmpInfoHeader2 aInfoHeader2; m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen ); + if (!m_pStream->good()) + throw BadRead(); + + m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] ); + sal_uInt32 N; sal_uInt32 rgbTableSize; @@ -1375,7 +1382,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; - if (N == 24) + if (N >= 16) { rgbTableSize = 0; } @@ -1391,7 +1398,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; - if (N == 24) + if (N >= 16) { rgbTableSize = 0; } commit 35562b809a3207a3ff9b2d700e2ea6c285992320 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Mon Jan 17 10:48:12 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:31:49 2022 +0200 ofz: Use-of-uninitialized-value Change-Id: Ic5f41e4f1f6b20a8cd8887807296f33adb48b728 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128439 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit bb03203848ef1c30786ad084440b5d317a466127) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129415 Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de> Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de> (cherry picked from commit b3288c52844bec9e33a7ae725332f95c84384ac7) diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index cd25e50bb93b..6dc6fb2b9220 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1461,7 +1461,8 @@ void LwpDrawBitmap::Read() pPicData += 30*sizeof(sal_uInt8); } - m_pStream->ReadBytes(pPicData, nDIBRemaining); + if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining)) + throw BadRead(); } OUString LwpDrawBitmap::RegisterStyle() commit 48d85fd4db95939597b66da2f32bc5f024686518 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Thu Feb 10 10:53:27 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:27:52 2022 +0200 limit style export to words max style count and use std::vector LIBREOFFICE-U78X8I5G Change-Id: I436b4c13a4ce07f5e9e5d374163bc4de55cd2cde Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129766 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 8e94ec9d93fe3e1057fb1aaa2f0419114c4ea11c) (cherry picked from commit 0361cc74c7e0619f8b25a5584accb56d0c45f97a) diff --git a/sw/source/filter/ww8/wrtw8sty.cxx b/sw/source/filter/ww8/wrtw8sty.cxx index af39bf4ef063..810cf955135a 100644 --- a/sw/source/filter/ww8/wrtw8sty.cxx +++ b/sw/source/filter/ww8/wrtw8sty.cxx @@ -150,13 +150,13 @@ MSWordStyles::MSWordStyles( MSWordExportBase& rExport, bool bListStyles ) m_rExport.m_pDoc->GetFootnoteInfo().GetAnchorCharFormat( *m_rExport.m_pDoc ); m_rExport.m_pDoc->GetFootnoteInfo().GetCharFormat( *m_rExport.m_pDoc ); } - sal_uInt16 nAlloc = WW8_RESERVED_SLOTS + m_rExport.m_pDoc->GetCharFormats()->size() - 1 + + sal_uInt32 nAlloc = WW8_RESERVED_SLOTS + m_rExport.m_pDoc->GetCharFormats()->size() - 1 + m_rExport.m_pDoc->GetTextFormatColls()->size() - 1 + (bListStyles ? m_rExport.m_pDoc->GetNumRuleTable().size() - 1 : 0); + nAlloc = std::min<sal_uInt32>(nAlloc, MSWORD_MAX_STYLES_LIMIT); // somewhat generous ( free for up to 15 ) - m_pFormatA.reset( new SwFormat*[ nAlloc ] ); - memset( m_pFormatA.get(), 0, nAlloc * sizeof( SwFormat* ) ); + m_aFormatA.resize(nAlloc, nullptr); memset( m_aHeadingParagraphStyles, -1 , MAXLEVEL * sizeof( sal_uInt16)); BuildStylesTable(); @@ -172,7 +172,7 @@ sal_uInt16 MSWordStyles::GetSlot( const SwFormat* pFormat ) const { sal_uInt16 n; for ( n = 0; n < m_nUsedSlots; n++ ) - if ( m_pFormatA[n] == pFormat ) + if ( m_aFormatA[n] == pFormat ) return n; return 0xfff; // 0xfff: WW: zero } @@ -281,19 +281,19 @@ void MSWordStyles::BuildStylesTable() const SwCharFormats& rArr = *m_rExport.m_pDoc->GetCharFormats(); // first CharFormat // the default character style ( 0 ) will not be outputted ! - for( size_t n = 1; n < rArr.size(); n++ ) + for( size_t n = 1; n < rArr.size() && m_nUsedSlots < MSWORD_MAX_STYLES_LIMIT; n++ ) { SwCharFormat* pFormat = rArr[n]; - m_pFormatA[ BuildGetSlot( *pFormat ) ] = pFormat; + m_aFormatA[ BuildGetSlot( *pFormat ) ] = pFormat; } const SwTextFormatColls& rArr2 = *m_rExport.m_pDoc->GetTextFormatColls(); // then TextFormatColls // the default character style ( 0 ) will not be outputted ! - for( size_t n = 1; n < rArr2.size(); n++ ) + for( size_t n = 1; n < rArr2.size() && m_nUsedSlots < MSWORD_MAX_STYLES_LIMIT; n++ ) { SwTextFormatColl* pFormat = rArr2[n]; sal_uInt16 nId = BuildGetSlot( *pFormat ) ; - m_pFormatA[ nId ] = pFormat; + m_aFormatA[ nId ] = pFormat; if ( pFormat->IsAssignedToListLevelOfOutlineStyle() ) { int nLvl = pFormat->GetAssignedOutlineStyleLevel() ; @@ -306,7 +306,7 @@ void MSWordStyles::BuildStylesTable() return; const SwNumRuleTable& rNumRuleTable = m_rExport.m_pDoc->GetNumRuleTable(); - for (size_t i = 0; i < rNumRuleTable.size(); ++i) + for (size_t i = 0; i < rNumRuleTable.size() && m_nUsedSlots < MSWORD_MAX_STYLES_LIMIT; ++i) { const SwNumRule* pNumRule = rNumRuleTable[i]; if (pNumRule->IsAutoRule() || pNumRule->GetName().startsWith("WWNum")) @@ -326,8 +326,8 @@ void MSWordStyles::BuildStyleIds() for (sal_uInt16 n = 1; n < m_nUsedSlots; ++n) { OUString aName; - if(m_pFormatA[n]) - aName = m_pFormatA[n]->GetName(); + if (m_aFormatA[n]) + aName = m_aFormatA[n]->GetName(); else if (m_aNumRules.find(n) != m_aNumRules.end()) aName = m_aNumRules[n]->GetName(); OStringBuffer aStyleIdBuf(aName.getLength()); @@ -607,8 +607,8 @@ void MSWordStyles::OutputStyle( SwFormat* pFormat, sal_uInt16 nPos ) for ( int nSuffix = 0; ; ++nSuffix ) { bool clash=false; for ( sal_uInt16 n = 1; n < m_nUsedSlots; ++n ) - if ( m_pFormatA[n] && - m_pFormatA[n]->GetName().equalsIgnoreAsciiCase(aName) ) + if ( m_aFormatA[n] && + m_aFormatA[n]->GetName().equalsIgnoreAsciiCase(aName) ) { clash = true; break; @@ -683,7 +683,7 @@ void MSWordStyles::OutputStylesTable() if (m_aNumRules.find(n) != m_aNumRules.end()) OutputStyle(m_aNumRules[n], n); else - OutputStyle( m_pFormatA[n], n ); + OutputStyle(m_aFormatA[n], n); } m_rExport.AttrOutput().EndStyles( m_nUsedSlots ); diff --git a/sw/source/filter/ww8/wrtww8.hxx b/sw/source/filter/ww8/wrtww8.hxx index 064055fd06c7..aef47717f0a1 100644 --- a/sw/source/filter/ww8/wrtww8.hxx +++ b/sw/source/filter/ww8/wrtww8.hxx @@ -1536,7 +1536,7 @@ class MSWordStyles { MSWordExportBase& m_rExport; sal_uInt16 m_aHeadingParagraphStyles[MAXLEVEL]; - std::unique_ptr<SwFormat*[]> m_pFormatA; ///< Slot <-> Character and paragraph style array (0 for list styles). + std::vector<SwFormat*> m_aFormatA; ///< Slot <-> Character and paragraph style array (0 for list styles). sal_uInt16 m_nUsedSlots; bool const m_bListStyles; ///< If list styles are requested to be exported as well. std::map<sal_uInt16, const SwNumRule*> m_aNumRules; ///< Slot <-> List style map. @@ -1584,7 +1584,7 @@ public: /// Get styleId of the nId-th style (nId is its position in pFormatA). OString const & GetStyleId(sal_uInt16 nId) const; - const SwFormat* GetSwFormat(sal_uInt16 nId) const { return m_pFormatA[nId]; } + const SwFormat* GetSwFormat(sal_uInt16 nId) const { return m_aFormatA[nId]; } /// Get numbering rule of the nId-th style const SwNumRule* GetSwNumRule(sal_uInt16 nId) const; sal_uInt16 GetHeadingParagraphStyleId(sal_uInt16 nLevel) const { return m_aHeadingParagraphStyles[ nLevel ]; } commit 1b8ca2dd47a81ecfc4de379e95719a7c00858792 Author: zhutyra <zhutyra> AuthorDate: Tue Feb 1 13:54:55 2022 +0000 Commit: Gabor Kelemen <kelem...@ubuntu.com> CommitDate: Sat Apr 2 13:25:59 2022 +0200 read of width/height uses wrong record size this initially went wrong at: commit b4fb7a437bb0ce987702b12008737756623618ac Date: Mon May 23 21:38:40 2011 +0100 fix up some more endian LIBREOFFICE-SBQ5TJRS Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc) (cherry picked from commit aaad67afccf1c59bf7d8fe7ab5207ff903f1c515) diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 45637de0c32c..cd25e50bb93b 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1365,8 +1365,12 @@ void LwpDrawBitmap::Read() if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader)) { - m_pStream->ReadUInt32( aInfoHeader2.nWidth ); - m_pStream->ReadUInt32( aInfoHeader2.nHeight ); + sal_uInt16 nTmp; + + m_pStream->ReadUInt16( nTmp ); + aInfoHeader2.nWidth = nTmp; + m_pStream->ReadUInt16( nTmp ); + aInfoHeader2.nHeight = nTmp; m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount );