diff options
author | Eike Rathke <erack@redhat.com> | 2017-08-21 15:49:41 +0200 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2017-08-25 19:39:03 +0200 |
commit | 5caa0aa95cd855d1047c73a3f8eda59de22e86b7 (patch) | |
tree | 77d4ec425e2ce7f1472891657d3ba29cfae1d12a /sc | |
parent | d77bd14f1ee57523a94e7d5cb7cac60de25b57a2 (diff) |
Resolves: tdf#111943 really really limit the match, tdf#108292 follow-up
getRemainingCount() could deliver a wrapped around overflow value if mnIndex
was already greater than the end index, which could happen if when/for
non-matching larger block sizes were added, and if then a match was found
behind those blocks a non-requested/unexpected index was returned, which in
turn led to the assert() being hit in ScInterpreter::CalculateLookup(). In
non-debug could result in an invalid block position access.
This happened with the bug case document of tdf#111943 which in master can be
loaded.
Also, the start and end index are not dynamic and don't have to be recalculated
each time, so make them const; column argument values are unused after.
(cherry picked from commit 25b3806ac509006573e669acc33643af3bd77380)
Change-Id: Ic294cade4e8e7828bee394e5ade61d7127be6bbb
Reviewed-on: https://gerrit.libreoffice.org/41397
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
(cherry picked from commit 8d8044d25a6d112854655ef0ad51f1a904350f0f)
Diffstat (limited to 'sc')
-rw-r--r-- | sc/source/core/tool/scmatrix.cxx | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/sc/source/core/tool/scmatrix.cxx b/sc/source/core/tool/scmatrix.cxx index 1807a11c53cc..30fb6eb0b36f 100644 --- a/sc/source/core/tool/scmatrix.cxx +++ b/sc/source/core/tool/scmatrix.cxx @@ -1264,24 +1264,25 @@ template<typename Type> class WalkAndMatchElements : public std::unary_function<MatrixImplType::element_block_node_type, void> { Type maMatchValue; - MatrixImplType::size_pair_type maSize; - size_t mnCol1; - size_t mnCol2; + const size_t mnStartIndex; + const size_t mnStopIndex; size_t mnResult; size_t mnIndex; public: WalkAndMatchElements(Type aMatchValue, const MatrixImplType::size_pair_type& aSize, size_t nCol1, size_t nCol2) : maMatchValue(aMatchValue), - maSize(aSize), - mnCol1(nCol1), - mnCol2(nCol2), + mnStartIndex( nCol1 * aSize.row ), + mnStopIndex( (nCol2 + 1) * aSize.row ), mnResult(ResultNotSet), mnIndex(0) {} size_t getMatching() const { return mnResult; } - size_t getRemainingCount() const { return ((mnCol2 + 1) * maSize.row) - mnIndex; } + size_t getRemainingCount() const + { + return mnIndex < mnStopIndex ? mnStopIndex - mnIndex : 0; + } size_t compare(const MatrixImplType::element_block_node_type& node) const; @@ -1292,7 +1293,7 @@ public: return; // limit lookup to the requested columns - if ((mnCol1 * maSize.row) <= mnIndex && getRemainingCount() > 0) + if (mnStartIndex <= mnIndex && getRemainingCount() > 0) { mnResult = compare(node); } |