diff options
author | Michael Stahl <mstahl@redhat.com> | 2014-01-14 16:32:20 +0100 |
---|---|---|
committer | David Tardon <dtardon@redhat.com> | 2014-01-16 09:02:35 +0000 |
commit | 417e1ac46542de0e6d9775ed43da07980eceafea (patch) | |
tree | 6ea821a7f71340ab309486f1241149dcabd774cf | |
parent | b591830c3cba2698aee26b806214e229db4c4483 (diff) |
fdo#73095: fix invalid access in SwFntObj::DrawText()
aStr may be 1 larger than pKernArray.
Trivial fix by checking the largest index; not sure if it would be a
good idea to allocate pKernArray with the larger size in the first
place, but that would be a bigger change...
(regression from 02ce734450559c9353ca7f42b2519239220dd265)
Change-Id: Ia33feab001c34e85066b7596d8873f41588984e9
(cherry picked from commit 61ec8f086ba314b86c80a02b16072e88774abf6c)
Reviewed-on: https://gerrit.libreoffice.org/7427
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>
(cherry picked from commit 7ed845ae5682fdafb3390df85144388e240ccb89)
Reviewed-on: https://gerrit.libreoffice.org/7441
Reviewed-by: Khaled Hosny <khaledhosny@eglug.org>
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>
-rw-r--r-- | sw/source/core/txtnode/fntcache.cxx | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sw/source/core/txtnode/fntcache.cxx b/sw/source/core/txtnode/fntcache.cxx index 0ccbbc66fe6a..a518e1c53755 100644 --- a/sw/source/core/txtnode/fntcache.cxx +++ b/sw/source/core/txtnode/fntcache.cxx @@ -1573,8 +1573,11 @@ void SwFntObj::DrawText( SwDrawTextInfo &rInf ) /* fdo#72488 Hack: try to see if the space is zero width * and don't bother with inserting a bullet in this case. */ - if (pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1]) + if ((i + nCopyStart + 1 >= rInf.GetLen()) || + pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1]) + { aStr = aStr.replaceAt(i, 1, OUString(CH_BULLET)); + } } } |