diff options
| author | Eike Rathke <erack@redhat.com> | 2017-08-21 15:49:41 +0200 |
|---|---|---|
| committer | Markus Mohrhard <markus.mohrhard@googlemail.com> | 2017-08-24 13:49:32 +0200 |
| commit | 9bedb5caae9cb4b535b9fc370480c1b4f5cd70f6 (patch) | |
| tree | fe0bd3efaa50a655671b1d4e84959e8df6e16598 /sc | |
| parent | e6426cc1bf174a67828f3e18ab1ea70eccc44b07 (diff) | |
Resolves: tdf#111943 really really limit the match, tdf#108292 follow-up
getRemainingCount() could deliver a wrapped around overflow value if mnIndex
was already greater than the end index, which could happen if when/for
non-matching larger block sizes were added, and if then a match was found
behind those blocks a non-requested/unexpected index was returned, which in
turn led to the assert() being hit in ScInterpreter::CalculateLookup(). In
non-debug could result in an invalid block position access.
This happened with the bug case document of tdf#111943 which in master can be
loaded.
Also, the start and end index are not dynamic and don't have to be recalculated
each time, so make them const; column argument values are unused after.
(cherry picked from commit 25b3806ac509006573e669acc33643af3bd77380)
Change-Id: Ic294cade4e8e7828bee394e5ade61d7127be6bbb
Reviewed-on: https://gerrit.libreoffice.org/41396
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Markus Mohrhard <markus.mohrhard@googlemail.com>
Diffstat (limited to 'sc')
| -rw-r--r-- | sc/source/core/tool/scmatrix.cxx | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/sc/source/core/tool/scmatrix.cxx b/sc/source/core/tool/scmatrix.cxx index 659e22fa064a..0a3dca7cb12d 100644 --- a/sc/source/core/tool/scmatrix.cxx +++ b/sc/source/core/tool/scmatrix.cxx @@ -1267,24 +1267,25 @@ template<typename Type> class WalkAndMatchElements : public std::unary_function<MatrixImplType::element_block_node_type, void> { Type maMatchValue; - MatrixImplType::size_pair_type maSize; - size_t mnCol1; - size_t mnCol2; + const size_t mnStartIndex; + const size_t mnStopIndex; size_t mnResult; size_t mnIndex; public: WalkAndMatchElements(Type aMatchValue, const MatrixImplType::size_pair_type& aSize, size_t nCol1, size_t nCol2) : maMatchValue(aMatchValue), - maSize(aSize), - mnCol1(nCol1), - mnCol2(nCol2), + mnStartIndex( nCol1 * aSize.row ), + mnStopIndex( (nCol2 + 1) * aSize.row ), mnResult(ResultNotSet), mnIndex(0) {} size_t getMatching() const { return mnResult; } - size_t getRemainingCount() const { return ((mnCol2 + 1) * maSize.row) - mnIndex; } + size_t getRemainingCount() const + { + return mnIndex < mnStopIndex ? mnStopIndex - mnIndex : 0; + } size_t compare(const MatrixImplType::element_block_node_type& node) const; @@ -1295,7 +1296,7 @@ public: return; // limit lookup to the requested columns - if ((mnCol1 * maSize.row) <= mnIndex && getRemainingCount() > 0) + if (mnStartIndex <= mnIndex && getRemainingCount() > 0) { mnResult = compare(node); } |