summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArmin Le Grand <Armin.Le.Grand@me.com>2015-11-03 12:25:13 +0100
committerKatarina Behrens <Katarina.Behrens@cib.de>2015-11-04 11:29:21 +0000
commitf0cef70cd4164342b218fbee34bf57eedc22c998 (patch)
treeedf7a6e44f54a8eb6b5ed6179e8e5157fa001872
parent4340cc7a63c3a94a7b95e014a501b44d886e18bb (diff)
tdf#95298: corrected some out-of-bound accesses to array
the index variable m_FrameList used to reference the current frame uses the state EMTY_FRAMELIST to mark as invalid, which is the max integer number. Thus all usages have to be secured to not use m_FrameList if set to EMPTY_FRAMELIST. This was missing in some places. the max integer number. Thus all usages have to be secured to not use m_FrameList if set to EMPTY_FRAMELIST. This was missing in some places. Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8 Reviewed-on: https://gerrit.libreoffice.org/19753 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de>
-rw-r--r--sd/source/ui/dlg/animobjs.cxx10
1 files changed, 6 insertions, 4 deletions
diff --git a/sd/source/ui/dlg/animobjs.cxx b/sd/source/ui/dlg/animobjs.cxx
index c2d83e45f548..2c2f4ee13183 100644
--- a/sd/source/ui/dlg/animobjs.cxx
+++ b/sd/source/ui/dlg/animobjs.cxx
@@ -420,7 +420,8 @@ IMPL_LINK_TYPED( AnimationWindow, ClickRemoveBitmapHdl, Button*, pBtn, void )
SdPage* pPage = pMyDoc->GetSdPage(0, PK_STANDARD);
SdrObject* pObject;
- if (pBtn == m_pBtnRemoveBitmap)
+ // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+ if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST != m_nCurrentFrame)
{
delete m_FrameList[m_nCurrentFrame].first;
delete m_FrameList[m_nCurrentFrame].second;
@@ -439,8 +440,8 @@ IMPL_LINK_TYPED( AnimationWindow, ClickRemoveBitmapHdl, Button*, pBtn, void )
if (m_nCurrentFrame >= m_FrameList.size())
{
- assert(m_FrameList.empty());
- m_nCurrentFrame = EMPTY_FRAMELIST;
+ // tdf#95298 last frame was deleted, try to use the one before it or go on empty state
+ m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST : m_FrameList.size() - 1;
}
}
else // delete everything
@@ -522,7 +523,8 @@ IMPL_LINK_NOARG_TYPED(AnimationWindow, ModifyTimeHdl, Edit&, void)
void AnimationWindow::UpdateControl(bool const bDisableCtrls)
{
- if (!m_FrameList.empty())
+ // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+ if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame)
{
BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first);