protect against accessing before the start of pCode in FormulaCompiler

If the expression is bad, such as in sc/qa/.../sheet.fods, 'pCode - 1'
may actually refer before the array of tokens, since nothing has been
added yet. So make that element nullptr. This is a bit hackish, but
checking in every place that pCode is valid seems tedious.

Change-Id: Ia099a50583f60d93a2e20b1f7b5e44b0121a275b
Reviewed-on: https://gerrit.libreoffice.org/58198
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins
Reviewed-by: Luboš Luňák <l.lunak@collabora.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/formula/source/core/api/FormulaCompiler.cxx b/formula/source/core/api/FormulaCompiler.cxx
index 8e79e5ca68dd..c22f9edbdbe1 100644
--- a/formula/source/core/api/FormulaCompiler.cxx
+++ b/formula/source/core/api/FormulaCompiler.cxx
@@ -2079,7 +2079,12 @@ bool FormulaCompiler::CompileTokenArray()
         pArr->DelRPN();
         maArrIterator.Reset();
         pStack = nullptr;
-        FormulaToken* pData[ FORMULA_MAXTOKENS ];
+        FormulaToken* pDataArray[ FORMULA_MAXTOKENS + 1 ];
+        // Code in some places refers to the last token as 'pCode - 1', which may
+        // point before the first element if the expression is bad. So insert a dummy
+        // node in that place which will make that token be nullptr.
+        pDataArray[ 0 ] = nullptr;
+        FormulaToken** pData = pDataArray + 1;
         pCode = pData;
         bool bWasForced = pArr->IsRecalcModeForced();
         if ( bWasForced )