diff options
| author | Eike Rathke <erack@redhat.com> | 2017-03-10 13:38:28 +0100 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2017-03-14 13:23:29 +0000 |
| commit | 0f7a1bce18b08045fd98d5de99bb9ed69a7d474d (patch) | |
| tree | a41a56cef2bdf135215ca11fd7bc36999da6fffb | |
| parent | 445b719b8bbff9181cea3601649bb21c27acd7b5 (diff) | |
string access out of bounds
This is a combination of 3 commits.
string access out of bounds
Change-Id: I4f6e6e8e77cdabe593bca5719b6ef38aeecc5da7
(cherry picked from commit 77a8cf7eaf638276030d1c5be8705f5603f071a9)
prevent string access out of bounds
Though only the closing 0-character and the following check excludes that,
dbgutil asserts.
Change-Id: Ife1299042a60f6f058c4cf58b406d1cc022786a7
(cherry picked from commit c407fff205a270e02fe07885805b7250e71c28f8)
guard against a (theoretical?) endless loop of blanks only
Change-Id: I68d6cca1b359aa8fba42663bddb1107c31102415
(cherry picked from commit fe73eff36718b6d99d0cf92d750c457872cc4dcc)
Reviewed-on: https://gerrit.libreoffice.org/35043
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
| -rw-r--r-- | svl/source/numbers/zformat.cxx | 10 | ||||
| -rw-r--r-- | svl/source/numbers/zforscan.cxx | 23 |
2 files changed, 21 insertions, 12 deletions
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx index 09e024eaccac..be19e338d2a1 100644 --- a/svl/source/numbers/zformat.cxx +++ b/svl/source/numbers/zformat.cxx @@ -2817,9 +2817,15 @@ bool SvNumberformat::ImpGetFractionOutput(double fNumber, bRes |= ImpNumberFill(sDiv, fNumber, k, j, nIx, NF_SYMBOLTYPE_FRAC); if ( !bHideFraction && sDenominatorFormat.getLength() > 0 ) { - while ( sDiv[0] == ' ' ) // left align denominator + // Guard against a (theoretical?) endless loop of blanks only. + sal_Int32 n = sDiv.getLength(); + sal_Int32 nDenominatorLen = sDenominatorFormat.getLength(); + while ( n-- > 0 && sDiv[0] == ' ' ) // left align denominator { - sDiv.insert( sDenominatorFormat.getLength(), " " ); + if (sDiv.getLength() <= nDenominatorLen) + sDiv.append(" "); + else + sDiv.insert( nDenominatorLen, " " ); sDiv.remove( 0, 1 ); } } diff --git a/svl/source/numbers/zforscan.cxx b/svl/source/numbers/zforscan.cxx index 34137cb85f42..1cceda79d3ad 100644 --- a/svl/source/numbers/zforscan.cxx +++ b/svl/source/numbers/zforscan.cxx @@ -814,18 +814,21 @@ short ImpSvNumberformatScan::Next_Symbol( const OUString& rStr, switch (cToken) { case '/': // AM/PM, A/P - cNext = rStr[nPos]; - if ( cNext == 'P' || cNext == 'p' ) + if (nPos < rStr.getLength()) { - sal_Int32 nLen = sSymbol.getLength(); - if ( 1 <= nLen && - (sSymbol[0] == 'A' || sSymbol[0] == 'a') && - (nLen == 1 || - (nLen == 2 && (sSymbol[1] == 'M' || sSymbol[1] == 'm') - && (rStr[nPos + 1] == 'M' || rStr[nPos + 1] == 'm')))) + cNext = rStr[nPos]; + if ( cNext == 'P' || cNext == 'p' ) { - sSymbol += OUStringLiteral1(cToken); - bDontStop = true; + sal_Int32 nLen = sSymbol.getLength(); + if ( 1 <= nLen && + (sSymbol[0] == 'A' || sSymbol[0] == 'a') && + (nLen == 1 || + (nLen == 2 && (sSymbol[1] == 'M' || sSymbol[1] == 'm') + && (rStr[nPos + 1] == 'M' || rStr[nPos + 1] == 'm')))) + { + sSymbol += OUStringLiteral1(cToken); + bDontStop = true; + } } } break; |