diff options
| author | Eike Rathke <erack@redhat.com> | 2016-05-31 00:02:38 +0200 |
|---|---|---|
| committer | Markus Mohrhard <markus.mohrhard@googlemail.com> | 2016-05-31 05:51:03 +0000 |
| commit | 7e8e2ef608c7fe2a1c6d6fa244534b85dc42362b (patch) | |
| tree | 9d29d8131794a40f985dc7ef4ac454a4feca8dce /svl | |
| parent | 0fac4acb32baf59558f46d42ce31751948f00da3 (diff) | |
prevent out of bounds string access
Yet another reminiscence of String to OUString conversion..
where the terminating NULL-character was obtained and
SvNumberformat::InsertBlanks() effectively did nothing.
Could be triggered already by entering an '_' underscore character as
number format code, which is a place holder for blanks of the same width
as the following character, which there isn't then yet.
Change-Id: I0534e1417d4bd35e9e7ed4bd0170b9ea3b5fb575
(cherry picked from commit c75ce37560c05271ba56c9dd0d98c5001e83cc2f)
Reviewed-on: https://gerrit.libreoffice.org/25693
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Markus Mohrhard <markus.mohrhard@googlemail.com>
Diffstat (limited to 'svl')
| -rw-r--r-- | svl/source/numbers/zformat.cxx | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx index 29402f801910..90175f9fadc7 100644 --- a/svl/source/numbers/zformat.cxx +++ b/svl/source/numbers/zformat.cxx @@ -1941,8 +1941,8 @@ bool SvNumberformat::GetOutputString(const OUString& sString, } break; case NF_SYMBOLTYPE_BLANK: - InsertBlanks( sOutBuff, sOutBuff.getLength(), - rInfo.sStrArray[i][1] ); + if (rInfo.sStrArray[i].getLength() >= 2) + InsertBlanks( sOutBuff, sOutBuff.getLength(), rInfo.sStrArray[i][1] ); break; case NF_KEY_GENERAL : // #77026# "General" is the same as "@" case NF_SYMBOLTYPE_DEL : @@ -2272,8 +2272,8 @@ bool SvNumberformat::GetOutputString(double fNumber, } break; case NF_SYMBOLTYPE_BLANK: - InsertBlanks(sBuff, sBuff.getLength(), - rInfo.sStrArray[i][1] ); + if (rInfo.sStrArray[i].getLength() >= 2) + InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] ); break; case NF_SYMBOLTYPE_STRING: case NF_SYMBOLTYPE_CURRENCY: @@ -2904,8 +2904,8 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber, } break; case NF_SYMBOLTYPE_BLANK: - InsertBlanks(sBuff, sBuff.getLength(), - rInfo.sStrArray[i][1] ); + if (rInfo.sStrArray[i].getLength() >= 2) + InsertBlanks(sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] ); break; case NF_SYMBOLTYPE_STRING: case NF_SYMBOLTYPE_CURRENCY: @@ -3397,7 +3397,8 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber, } break; case NF_SYMBOLTYPE_BLANK: - InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] ); + if (rInfo.sStrArray[i].getLength() >= 2) + InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] ); break; case NF_SYMBOLTYPE_STRING: case NF_SYMBOLTYPE_CURRENCY: @@ -3690,8 +3691,8 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber, } break; case NF_SYMBOLTYPE_BLANK: - InsertBlanks( sBuff, sBuff.getLength(), - rInfo.sStrArray[i][1] ); + if (rInfo.sStrArray[i].getLength() >= 2) + InsertBlanks( sBuff, sBuff.getLength(), rInfo.sStrArray[i][1] ); break; case NF_SYMBOLTYPE_STRING: case NF_SYMBOLTYPE_CURRENCY: @@ -4337,7 +4338,8 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer& sBuff, // number string } break; case NF_SYMBOLTYPE_BLANK: - k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] ); + if (rInfo.sStrArray[j].getLength() >= 2) + k = InsertBlanks(sBuff, k, rInfo.sStrArray[j][1] ); break; case NF_SYMBOLTYPE_THSEP: // Same as in ImpNumberFillWithThousands() above, do not insert |