diff options
author | Armin Le Grand <Armin.Le.Grand@me.com> | 2015-11-03 12:25:13 +0100 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2015-11-05 11:44:10 +0000 |
commit | 6b3b080f8cedc1b496022b18e477af0c7361fba3 (patch) | |
tree | e3bd6d26eecfb553fce282df86d9a99d9a574412 /sd/source | |
parent | c7a520868ecf6d5de48dc3964a7bccab3fa480c3 (diff) |
tdf#95298: corrected some out-of-bound accesses to array
the index variable m_FrameList used to reference the current frame uses
the state EMTY_FRAMELIST to mark as invalid, which is the max integer
number. Thus all usages have to be secured to not use m_FrameList
if set to EMPTY_FRAMELIST. This was missing in some places.
the max integer
number. Thus all usages have to be secured to not use m_FrameList
if set to EMPTY_FRAMELIST. This was missing in some places.
Reviewed-on: https://gerrit.libreoffice.org/19753
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de>
Cherry-picked from f0cef70cd4164342b218fbee34bf57eedc22c998
Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8
Reviewed-on: https://gerrit.libreoffice.org/19787
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sd/source')
-rw-r--r-- | sd/source/ui/dlg/animobjs.cxx | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/sd/source/ui/dlg/animobjs.cxx b/sd/source/ui/dlg/animobjs.cxx index 0b033f9c2cc3..5c66014ffc7c 100644 --- a/sd/source/ui/dlg/animobjs.cxx +++ b/sd/source/ui/dlg/animobjs.cxx @@ -430,7 +430,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *, pBtn ) SdPage* pPage = pMyDoc->GetSdPage(0, PK_STANDARD); SdrObject* pObject; - if (pBtn == m_pBtnRemoveBitmap) + // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access + if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST != m_nCurrentFrame) { delete m_FrameList[m_nCurrentFrame].first; delete m_FrameList[m_nCurrentFrame].second; @@ -449,8 +450,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *, pBtn ) if (m_nCurrentFrame >= m_FrameList.size()) { - assert(m_FrameList.empty()); - m_nCurrentFrame = EMPTY_FRAMELIST; + // tdf#95298 last frame was deleted, try to use the one before it or go on empty state + m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST : m_FrameList.size() - 1; } } else // delete everything @@ -539,7 +540,8 @@ IMPL_LINK_NOARG(AnimationWindow, ModifyTimeHdl) void AnimationWindow::UpdateControl(bool const bDisableCtrls) { - if (!m_FrameList.empty()) + // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access + if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame) { BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first); |