From 61ec8f086ba314b86c80a02b16072e88774abf6c Mon Sep 17 00:00:00 2001
From: Michael Stahl <mstahl@redhat.com>
Date: Tue, 14 Jan 2014 16:32:20 +0100
Subject: fdo#73095: fix invalid access in SwFntObj::DrawText()

aStr may be 1 larger than pKernArray.
Trivial fix by checking the largest index; not sure if it would be a
good idea to allocate pKernArray with the larger size in the first
place, but that would be a bigger change...
(regression from 02ce734450559c9353ca7f42b2519239220dd265)

Change-Id: Ia33feab001c34e85066b7596d8873f41588984e9
---
 sw/source/core/txtnode/fntcache.cxx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sw/source/core/txtnode/fntcache.cxx b/sw/source/core/txtnode/fntcache.cxx
index 9cb6ba4cde00..9f3c9916105d 100644
--- a/sw/source/core/txtnode/fntcache.cxx
+++ b/sw/source/core/txtnode/fntcache.cxx
@@ -1573,8 +1573,11 @@ void SwFntObj::DrawText( SwDrawTextInfo &rInf )
                     /* fdo#72488 Hack: try to see if the space is zero width
                      * and don't bother with inserting a bullet in this case.
                      */
-                    if (pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1])
+                    if ((i + nCopyStart + 1 >= rInf.GetLen()) ||
+                        pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1])
+                    {
                         aStr = aStr.replaceAt(i, 1, OUString(CH_BULLET));
+                    }
                 }
         }
 
-- 
cgit v1.2.3