core.git: Branch 'distro/collabora/co-25.04' - sw/source

Mon, 02 Mar 2026 07:08:53 -0800 

 sw/source/core/txtnode/fntcache.cxx |    8 +++++---
 sw/source/core/txtnode/justify.cxx  |    3 +++
 2 files changed, 8 insertions(+), 3 deletions(-)

New commits:
commit 4a87a7158bcf9ebf8196683b2b8c85387b3bcfdb
Author:     Andras Timar <[email protected]>
AuthorDate: Mon Mar 2 10:12:45 2026 +0100
Commit:     Miklos Vajna <[email protected]>
CommitDate: Mon Mar 2 16:08:15 2026 +0100

    Fix SIGSEGV in sw::Justify::SpaceDistribution with invalid text index
    
    When rInf.GetIdx() exceeds the text length (a layout bug), DrawText
    only fired a debug assert but continued in release builds with nCnt
    not reduced, causing SpaceDistribution to access aText[nStt] past the
    end of the string. Return early from DrawText on this invalid state,
    and add a defensive nLen <= 0 guard in SpaceDistribution itself.
    
    Change-Id: I195ad79929d096e2c71f351c357a81bfad673b87
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200774
    Reviewed-by: Miklos Vajna <[email protected]>
    Tested-by: Jenkins CollaboraOffice <[email protected]>

diff --git a/sw/source/core/txtnode/fntcache.cxx 
b/sw/source/core/txtnode/fntcache.cxx
index 7ba1ba147719..2f051ce4ef88 100644
--- a/sw/source/core/txtnode/fntcache.cxx
+++ b/sw/source/core/txtnode/fntcache.cxx
@@ -1487,9 +1487,11 @@ void SwFntObj::DrawText( SwDrawTextInfo &rInf )
 
         TextFrameIndex nCnt(rInf.GetText().getLength());
         if ( nCnt < rInf.GetIdx() )
-            assert(false); // layout bug, not handled below
-        else
-            nCnt = nCnt - rInf.GetIdx();
+        {
+            assert(false); // layout bug
+            return;
+        }
+        nCnt = nCnt - rInf.GetIdx();
         nCnt = std::min(nCnt, rInf.GetLen());
         sal_Unicode cChPrev = rInf.GetText()[sal_Int32(rInf.GetIdx())];
 
diff --git a/sw/source/core/txtnode/justify.cxx 
b/sw/source/core/txtnode/justify.cxx
index 41a107303588..f9dfa27b60b5 100644
--- a/sw/source/core/txtnode/justify.cxx
+++ b/sw/source/core/txtnode/justify.cxx
@@ -101,6 +101,9 @@ sal_Int32 GetModelPosition(const KernArray& rKernArray, 
sal_Int32 nLen, tools::L
 void SpaceDistribution(KernArray& rKernArray, std::u16string_view aText, 
sal_Int32 nStt,
                        sal_Int32 nLen, tools::Long nSpaceAdd, tools::Long 
nKern, bool bNoHalfSpace)
 {
+    if (nLen <= 0)
+        return;
+
     assert(nStt + nLen <= sal_Int32(aText.size()));
     assert(nLen <= sal_Int32(rKernArray.size()));
     // nSpaceSum contains the sum of the intermediate space distributed

Reply via email to