summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Stahl <mstahl@redhat.com>2014-01-14 16:32:20 +0100
committerDavid Tardon <dtardon@redhat.com>2014-01-16 09:02:35 +0000
commit417e1ac46542de0e6d9775ed43da07980eceafea (patch)
tree6ea821a7f71340ab309486f1241149dcabd774cf
parentb591830c3cba2698aee26b806214e229db4c4483 (diff)
fdo#73095: fix invalid access in SwFntObj::DrawText()
aStr may be 1 larger than pKernArray. Trivial fix by checking the largest index; not sure if it would be a good idea to allocate pKernArray with the larger size in the first place, but that would be a bigger change... (regression from 02ce734450559c9353ca7f42b2519239220dd265) Change-Id: Ia33feab001c34e85066b7596d8873f41588984e9 (cherry picked from commit 61ec8f086ba314b86c80a02b16072e88774abf6c) Reviewed-on: https://gerrit.libreoffice.org/7427 Reviewed-by: Michael Meeks <michael.meeks@collabora.com> Tested-by: Michael Meeks <michael.meeks@collabora.com> (cherry picked from commit 7ed845ae5682fdafb3390df85144388e240ccb89) Reviewed-on: https://gerrit.libreoffice.org/7441 Reviewed-by: Khaled Hosny <khaledhosny@eglug.org> Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
-rw-r--r--sw/source/core/txtnode/fntcache.cxx5
1 files changed, 4 insertions, 1 deletions
diff --git a/sw/source/core/txtnode/fntcache.cxx b/sw/source/core/txtnode/fntcache.cxx
index 0ccbbc66fe6a..a518e1c53755 100644
--- a/sw/source/core/txtnode/fntcache.cxx
+++ b/sw/source/core/txtnode/fntcache.cxx
@@ -1573,8 +1573,11 @@ void SwFntObj::DrawText( SwDrawTextInfo &rInf )
/* fdo#72488 Hack: try to see if the space is zero width
* and don't bother with inserting a bullet in this case.
*/
- if (pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1])
+ if ((i + nCopyStart + 1 >= rInf.GetLen()) ||
+ pKernArray[i + nCopyStart] != pKernArray[ i + nCopyStart + 1])
+ {
aStr = aStr.replaceAt(i, 1, OUString(CH_BULLET));
+ }
}
}