diff options
| author | Michael Stahl <mstahl@redhat.com> | 2015-05-22 20:53:05 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-05-25 14:53:02 +0000 |
| commit | 668e6353f4597b81ebfd153b6197831dac50d398 (patch) | |
| tree | 55236e738814d36e37366730b61797bd87224b75 | |
| parent | 26c6602c9036e12e0d228b6f5377f47fde5a530f (diff) | |
tdf#90809: i18npool: fix crash in Thai break iterator
endPos = nStartPos + 1 may be past the end index
invalid write of size 4
at 0x1CBBA959: com::sun::star::i18n::BreakIterator_th::makeIndex(rtl::OUString const&, int) (breakiterator_th.cxx:139)
by 0x1CBB4AA2: com::sun::star::i18n::BreakIterator_CTL::previousCharacters(rtl::OUString const&, int, com::sun::star::lang::Locale const&, short, int, int&) (breakiterator_ctl.cxx:61)
by 0x1CBB544F: com::sun::star::i18n::BreakIteratorImpl::previousCharacters(rtl::OUString const&, int, com::sun::star::lang::Locale const&, short, int, int&) (breakiteratorImpl.cxx:64)
by 0xA29D29A: ServerFontLayout::setNeedFallback(ImplLayoutArgs&, int, bool) (gcach_layout.cxx:99)
Change-Id: I201f24cb6773b5aa1a81dea90ea906d3d4355053
(cherry picked from commit 9db629b8a1fa9b63bc320f8d47594ec82511a9c5)
Reviewed-on: https://gerrit.libreoffice.org/15869
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | i18npool/source/breakiterator/breakiterator_th.cxx | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/i18npool/source/breakiterator/breakiterator_th.cxx b/i18npool/source/breakiterator/breakiterator_th.cxx index e350fdce1c4c..5b4973bd075f 100644 --- a/i18npool/source/breakiterator/breakiterator_th.cxx +++ b/i18npool/source/breakiterator/breakiterator_th.cxx @@ -103,7 +103,7 @@ static sal_Int32 SAL_CALL getACell(const sal_Unicode *text, sal_Int32 pos, sal_I #define is_Thai(c) (0x0e00 <= c && c <= 0x0e7f) // Unicode definition for Thai -void SAL_CALL BreakIterator_th::makeIndex(const OUString& Text, sal_Int32 nStartPos) +void SAL_CALL BreakIterator_th::makeIndex(const OUString& Text, sal_Int32 const nStartPos) throw(RuntimeException) { if (Text != cachedText) { @@ -123,18 +123,20 @@ void SAL_CALL BreakIterator_th::makeIndex(const OUString& Text, sal_Int32 nStart return; const sal_Unicode* str = cachedText.getStr(); - sal_Int32 len = cachedText.getLength(), startPos, endPos; + sal_Int32 const len = cachedText.getLength(); - startPos = nStartPos; + sal_Int32 startPos = nStartPos; while (startPos > 0 && is_Thai(str[startPos-1])) startPos--; - endPos = nStartPos+1; + sal_Int32 endPos = std::min(len, nStartPos+1); while (endPos < len && is_Thai(str[endPos])) endPos++; sal_Int32 start, end, pos; pos = start = end = startPos; + assert(endPos <= cellIndexSize); while (pos < endPos) { end += getACell(str, start, endPos); + assert(end <= cellIndexSize); while (pos < end) { nextCellIndex[pos] = end; previousCellIndex[pos] = start; |