svl/source/numbers/zformat.cxx | 10 ++++++++-- svl/source/numbers/zforscan.cxx | 23 +++++++++++++---------- 2 files changed, 21 insertions(+), 12 deletions(-)
New commits: commit 0f7a1bce18b08045fd98d5de99bb9ed69a7d474d Author: Eike Rathke <[email protected]> Date: Fri Mar 10 13:38:28 2017 +0100 string access out of bounds This is a combination of 3 commits. string access out of bounds Change-Id: I4f6e6e8e77cdabe593bca5719b6ef38aeecc5da7 (cherry picked from commit 77a8cf7eaf638276030d1c5be8705f5603f071a9) prevent string access out of bounds Though only the closing 0-character and the following check excludes that, dbgutil asserts. Change-Id: Ife1299042a60f6f058c4cf58b406d1cc022786a7 (cherry picked from commit c407fff205a270e02fe07885805b7250e71c28f8) guard against a (theoretical?) endless loop of blanks only Change-Id: I68d6cca1b359aa8fba42663bddb1107c31102415 (cherry picked from commit fe73eff36718b6d99d0cf92d750c457872cc4dcc) Reviewed-on: https://gerrit.libreoffice.org/35043 Tested-by: Jenkins <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx index 09e024e..be19e33 100644 --- a/svl/source/numbers/zformat.cxx +++ b/svl/source/numbers/zformat.cxx @@ -2817,9 +2817,15 @@ bool SvNumberformat::ImpGetFractionOutput(double fNumber, bRes |= ImpNumberFill(sDiv, fNumber, k, j, nIx, NF_SYMBOLTYPE_FRAC); if ( !bHideFraction && sDenominatorFormat.getLength() > 0 ) { - while ( sDiv[0] == ' ' ) // left align denominator + // Guard against a (theoretical?) endless loop of blanks only. + sal_Int32 n = sDiv.getLength(); + sal_Int32 nDenominatorLen = sDenominatorFormat.getLength(); + while ( n-- > 0 && sDiv[0] == ' ' ) // left align denominator { - sDiv.insert( sDenominatorFormat.getLength(), " " ); + if (sDiv.getLength() <= nDenominatorLen) + sDiv.append(" "); + else + sDiv.insert( nDenominatorLen, " " ); sDiv.remove( 0, 1 ); } } diff --git a/svl/source/numbers/zforscan.cxx b/svl/source/numbers/zforscan.cxx index 34137cb..1cceda7 100644 --- a/svl/source/numbers/zforscan.cxx +++ b/svl/source/numbers/zforscan.cxx @@ -814,18 +814,21 @@ short ImpSvNumberformatScan::Next_Symbol( const OUString& rStr, switch (cToken) { case '/': // AM/PM, A/P - cNext = rStr[nPos]; - if ( cNext == 'P' || cNext == 'p' ) + if (nPos < rStr.getLength()) { - sal_Int32 nLen = sSymbol.getLength(); - if ( 1 <= nLen && - (sSymbol[0] == 'A' || sSymbol[0] == 'a') && - (nLen == 1 || - (nLen == 2 && (sSymbol[1] == 'M' || sSymbol[1] == 'm') - && (rStr[nPos + 1] == 'M' || rStr[nPos + 1] == 'm')))) + cNext = rStr[nPos]; + if ( cNext == 'P' || cNext == 'p' ) { - sSymbol += OUStringLiteral1(cToken); - bDontStop = true; + sal_Int32 nLen = sSymbol.getLength(); + if ( 1 <= nLen && + (sSymbol[0] == 'A' || sSymbol[0] == 'a') && + (nLen == 1 || + (nLen == 2 && (sSymbol[1] == 'M' || sSymbol[1] == 'm') + && (rStr[nPos + 1] == 'M' || rStr[nPos + 1] == 'm')))) + { + sSymbol += OUStringLiteral1(cToken); + bDontStop = true; + } } } break; _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
