prevent out-of-bounds string access

... while entering a * star symbol format code and there's no fill character following the * yet, for example "xxx"* (cherry picked from commit 839cc63e7d1b78c56e04bafb46037e898ce2c455) more out-of-bounds string accesses (cherry picked from commit 349c93e0f5c9f231b2ff6854fcb795ca5881ca2d) Change-Id: I006f125ceefccba6a95ea033fd434d98e5d4f1c2 Reviewed-on: https://gerrit.libreoffice.org/10994 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
author: Eike Rathke <erack@redhat.com> 2014-08-18 14:09:20 +0200
committer: David Tardon <dtardon@redhat.com> 2014-08-18 12:37:54 -0500
commit: f3e7a49e2c7ea235b724c157f8d05a23c675913a (patch)
tree: 965c5a7cdda77b6f7da1bc4594687e588daff094 /svl
parent: d2e69f454a30e64acb04f88a5d753169dbfc5259 (diff)
1 files changed, 32 insertions, 24 deletions
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index ef94a236ec93..a48c0293df1d 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -2241,6 +2241,30 @@ short SvNumberformat::ImpCheckCondition(double& fNumber,
     }
 }
 
+static bool lcl_appendStarFillChar( OUStringBuffer& rBuf, const OUString& rStr )
+{
+    // Right during user input the star symbol is the very
+    // last character before the user enters another one.
+    if (rStr.getLength() > 1)
+    {
+        rBuf.append((sal_Unicode) 0x1B);
+        rBuf.append(rStr[1]);
+        return true;
+    }
+    return false;
+}
+
+static bool lcl_insertStarFillChar( OUStringBuffer& rBuf, sal_Int32 nPos, const OUString& rStr )
+{
+    if (rStr.getLength() > 1)
+    {
+        rBuf.insert( nPos, rStr[1]);
+        rBuf.insert( nPos, (sal_Unicode) 0x1B);
+        return true;
+    }
+    return false;
+}
+
 bool SvNumberformat::GetOutputString(const OUString& sString,
                                      OUString& OutString,
                                      Color** ppColor)
@@ -2273,9 +2297,7 @@ bool SvNumberformat::GetOutputString(const OUString& sString,
             case NF_SYMBOLTYPE_STAR:
                 if( bStarFlag )
                 {
-                    sOutBuff.append((sal_Unicode) 0x1B);
-                    sOutBuff.append(rInfo.sStrArray[i][1]);
-                    bRes = true;
+                    bRes = lcl_appendStarFillChar( sOutBuff, rInfo.sStrArray[i]);
                 }
                 break;
             case NF_SYMBOLTYPE_BLANK:
@@ -2588,9 +2610,7 @@ bool SvNumberformat::GetOutputString(double fNumber,
                 case NF_SYMBOLTYPE_STAR:
                     if( bStarFlag )
                     {
-                        sBuff.append((sal_Unicode) 0x1B);
-                        sBuff.append(rInfo.sStrArray[i][1]);
-                        bRes = true;
+                        bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
                     }
                     break;
                 case NF_SYMBOLTYPE_BLANK:
@@ -3214,9 +3234,7 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber,
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.append((sal_Unicode)0x1B);
-                sBuff.append(rInfo.sStrArray[i][1]);
-                bRes = true;
+                bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -3712,9 +3730,7 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber,
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.append((sal_Unicode) 0x1B);
-                sBuff.append(rInfo.sStrArray[i][1]);
-                bRes = true;
+                bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -4007,9 +4023,7 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber,
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.append((sal_Unicode) 0x1B);
-                sBuff.append(rInfo.sStrArray[i][1]);
-                bRes = true;
+                bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -4340,9 +4354,7 @@ bool SvNumberformat::ImpGetNumberOutput(double fNumber,
             case NF_SYMBOLTYPE_STAR:
                 if( bStarFlag )
                 {
-                    sStr.insert(k, rInfo.sStrArray[j][1]);
-                    sStr.insert(k, (sal_Unicode) 0x1B);
-                    bRes = true;
+                    bRes = lcl_insertStarFillChar( sStr, k, rInfo.sStrArray[j]);
                 }
                 break;
             case NF_SYMBOLTYPE_BLANK:
@@ -4475,9 +4487,7 @@ bool SvNumberformat::ImpNumberFillWithThousands( OUStringBuffer& sBuff,  // numb
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.insert(k, rInfo.sStrArray[j][1]);
-                sBuff.insert(k, (sal_Unicode) 0x1B);
-                bRes = true;
+                bRes = lcl_insertStarFillChar( sBuff, k, rInfo.sStrArray[j]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -4651,9 +4661,7 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer& sBuff, // number string
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.insert(k, rInfo.sStrArray[j][1]);
-                sBuff.insert(k, sal_Unicode(0x1B));
-                bRes = true;
+                bRes = lcl_insertStarFillChar( sBuff, k, rInfo.sStrArray[j]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
author	Eike Rathke <erack@redhat.com>	2014-08-18 14:09:20 +0200
committer	David Tardon <dtardon@redhat.com>	2014-08-18 12:37:54 -0500
commit	f3e7a49e2c7ea235b724c157f8d05a23c675913a (patch)
tree	965c5a7cdda77b6f7da1bc4594687e588daff094 /svl
parent	d2e69f454a30e64acb04f88a5d753169dbfc5259 (diff)