diff options
| author | Michael Stahl <mstahl@redhat.com> | 2014-01-14 16:32:20 +0100 |
|---|---|---|
| committer | David Tardon <dtardon@redhat.com> | 2014-01-16 09:03:11 +0000 |
| commit | cfcf7d267c5b3535c40b8394f53126b45a7898a4 (patch) | |
| tree | cf2185f77678c5898b32dd2bf3dde9306245ee1c | |
| parent | 1ac58c098743e97862d52f3b1e0d219c871dd14f (diff) | |
fdo#73095: fix invalid access in SwFntObj::DrawText()
aStr may be 1 larger than pKernArray.
Trivial fix by checking the largest index; not sure if it would be a
good idea to allocate pKernArray with the larger size in the first
place, but that would be a bigger change...
(regression from 02ce734450559c9353ca7f42b2519239220dd265)
Change-Id: Ia33feab001c34e85066b7596d8873f41588984e9
(cherry picked from commit 61ec8f086ba314b86c80a02b16072e88774abf6c)
Reviewed-on: https://gerrit.libreoffice.org/7428
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>
(cherry picked from commit 4b965b031e2196b39f20e28ce9d9fd40552753a5)
Reviewed-on: https://gerrit.libreoffice.org/7442
Reviewed-by: Khaled Hosny <khaledhosny@eglug.org>
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>
| -rw-r--r-- | sw/source/core/txtnode/fntcache.cxx | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sw/source/core/txtnode/fntcache.cxx b/sw/source/core/txtnode/fntcache.cxx index 0857604c137d..42ca510a86cb 100644 --- a/sw/source/core/txtnode/fntcache.cxx +++ b/sw/source/core/txtnode/fntcache.cxx @@ -1535,8 +1535,11 @@ void SwFntObj::DrawText( SwDrawTextInfo &rInf ) /* fdo#72488 Hack: try to see if the space is zero width * and don't bother with inserting a bullet in this case. */ - if (pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1]) + if ((i + nCopyStart + 1 >= rInf.GetLen()) || + pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1]) + { aStr = aStr.replaceAt(i, 1, OUString(CH_BULLET)); + } } } |