fdo#39135: Prevent integer overflow & update the character during loop.

These two errors in the code contributed to the reported bug. Let's fix them. Change-Id: If82a1bd4d1e27145b48e722b30388cc9dc4a8a6e Reviewed-on: https://gerrit.libreoffice.org/2007 Reviewed-by: Eike Rathke <erack@redhat.com> Tested-by: Eike Rathke <erack@redhat.com>
author: Kohei Yoshida <kohei.yoshida@gmail.com> 2013-02-05 15:23:44 -0500
committer: Eike Rathke <erack@redhat.com> 2013-02-06 14:38:32 +0000
commit: 232b93e7f0e0ca90b54fe96d2c1adc5766d6706c (patch)
tree: ed15597c1faa9ba893a8f4b5797027acdf04226c /sc/source/core/tool
parent: e86ce65dfe42a7d7f3f2cdae3bdcea0f42bb6bb3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/sc/source/core/tool/reffind.cxx b/sc/source/core/tool/reffind.cxx
index 2fe76fc79161..c4621f0029b8 100644
--- a/sc/source/core/tool/reffind.cxx
+++ b/sc/source/core/tool/reffind.cxx
@@ -155,15 +155,20 @@ void ExpandToTextR1C1(const sal_Unicode* p, xub_StrLen nLen, xub_StrLen& rStartP
                     if (c == '\'')
                         break;
                 }
+                if (rStartPos == 0)
+                    break;
             }
             else if (c == ']')
             {
                 // Skip until the opening braket.
                 for (--rStartPos; rStartPos > 0; --rStartPos)
                 {
+                    c = p[rStartPos];
                     if (c == '[')
                         break;
                 }
+                if (rStartPos == 0)
+                    break;
             }
             else if (!IsText(c))
             {
author	Kohei Yoshida <kohei.yoshida@gmail.com>	2013-02-05 15:23:44 -0500
committer	Eike Rathke <erack@redhat.com>	2013-02-06 14:38:32 +0000
commit	232b93e7f0e0ca90b54fe96d2c1adc5766d6706c (patch)
tree	ed15597c1faa9ba893a8f4b5797027acdf04226c /sc/source/core/tool
parent	e86ce65dfe42a7d7f3f2cdae3bdcea0f42bb6bb3 (diff)