prevent out of bounds string access

Yet another reminiscence of String to OUString conversion..
where the terminating NULL-character was obtained and
SvNumberformat::InsertBlanks() effectively did nothing.

Could be triggered already by entering an '_' underscore character as
number format code, which is a place holder for blanks of the same width
as the following character, which there isn't then yet.

Change-Id: I0534e1417d4bd35e9e7ed4bd0170b9ea3b5fb575
(cherry picked from commit c75ce37560c05271ba56c9dd0d98c5001e83cc2f)
Reviewed-on: https://gerrit.libreoffice.org/25692
Reviewed-by: Eike Rathke <erack@redhat.com>
Tested-by: Eike Rathke <erack@redhat.com>

1 files changed, 12 insertions, 10 deletions

diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 0529f271979c..38efb37be8c9 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -1926,8 +1926,8 @@ void SvNumberformat::GetOutputString(const OUString& sString,
                 }
                 break;
             case NF_SYMBOLTYPE_BLANK:
-                InsertBlanks( sOutBuff, sOutBuff.getLength(),
-                              rInfo.sStrArray[i][1] );
+                if (rInfo.sStrArray[i].getLength() >= 2)
+                    InsertBlanks( sOutBuff, sOutBuff.getLength(), rInfo.sStrArray[i][1] );
                 break;
             case NF_KEY_GENERAL :   // #77026# "General" is the same as "@"
             case NF_SYMBOLTYPE_DEL :
@@ -2243,8 +2243,8 @@ bool SvNumberformat::GetOutputString(double fNumber,
                     }
                     break;
                 case NF_SYMBOLTYPE_BLANK:
-                    InsertBlanks(sBuff, sBuff.getLength(),
-                                 rInfo.sStrArray[i][1] );
+                    if (rInfo.sStrArray[i].getLength() >= 2)
+                        InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
                     break;
                 case NF_SYMBOLTYPE_STRING:
                 case NF_SYMBOLTYPE_CURRENCY:
@@ -2875,8 +2875,8 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber,
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            InsertBlanks(sBuff, sBuff.getLength(),
-                         rInfo.sStrArray[i][1] );
+            if (rInfo.sStrArray[i].getLength() >= 2)
+                InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
             break;
         case NF_SYMBOLTYPE_STRING:
         case NF_SYMBOLTYPE_CURRENCY:
@@ -3371,7 +3371,8 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber,
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
+            if (rInfo.sStrArray[i].getLength() >= 2)
+                InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
             break;
         case NF_SYMBOLTYPE_STRING:
         case NF_SYMBOLTYPE_CURRENCY:
@@ -3664,8 +3665,8 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber,
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            InsertBlanks( sBuff, sBuff.getLength(),
-                          rInfo.sStrArray[i][1] );
+            if (rInfo.sStrArray[i].getLength() >= 2)
+                InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] );
             break;
         case NF_SYMBOLTYPE_STRING:
         case NF_SYMBOLTYPE_CURRENCY:
@@ -4311,7 +4312,8 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer& sBuff, // number string
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
-            k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] );
+            if (rInfo.sStrArray[j].getLength() >= 2)
+                k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] );
             break;
         case NF_SYMBOLTYPE_THSEP:
             // Same as in ImpNumberFillWithThousands() above, do not insert