fdo#39135: Prevent integer overflow & update the character during loop.

These two errors in the code contributed to the reported bug. Let's fix them. Change-Id: If82a1bd4d1e27145b48e722b30388cc9dc4a8a6e Reviewed-on: https://gerrit.libreoffice.org/2008 Reviewed-by: Markus Mohrhard <markus.mohrhard@googlemail.com> Tested-by: Markus Mohrhard <markus.mohrhard@googlemail.com>
author: Kohei Yoshida <kohei.yoshida@gmail.com> 2013-02-05 15:23:44 -0500
committer: Markus Mohrhard <markus.mohrhard@googlemail.com> 2013-02-09 23:09:07 +0000
commit: 03158229fdfda1003d072853610fbfbe433b8be9 (patch)
tree: af8c48bf609b49381ddd4f1f027654fc09444f04
parent: 97c1b412148fc3920ea5aee687fbba887ddd4eb2 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/sc/source/core/tool/reffind.cxx b/sc/source/core/tool/reffind.cxx
index 660bab082297..c8e1722ac6e2 100644
--- a/sc/source/core/tool/reffind.cxx
+++ b/sc/source/core/tool/reffind.cxx
@@ -169,15 +169,20 @@ void ExpandToTextR1C1(const sal_Unicode* p, xub_StrLen nLen, xub_StrLen& rStartP
                     if (c == '\'')
                         break;
                 }
+                if (rStartPos == 0)
+                    break;
             }
             else if (c == ']')
             {
                 // Skip until the opening braket.
                 for (--rStartPos; rStartPos > 0; --rStartPos)
                 {
+                    c = p[rStartPos];
                     if (c == '[')
                         break;
                 }
+                if (rStartPos == 0)
+                    break;
             }
             else if (!IsText(c))
             {
author	Kohei Yoshida <kohei.yoshida@gmail.com>	2013-02-05 15:23:44 -0500
committer	Markus Mohrhard <markus.mohrhard@googlemail.com>	2013-02-09 23:09:07 +0000
commit	03158229fdfda1003d072853610fbfbe433b8be9 (patch)
tree	af8c48bf609b49381ddd4f1f027654fc09444f04
parent	97c1b412148fc3920ea5aee687fbba887ddd4eb2 (diff)