Do not create arbitrary OpCode values from binary garbage, ofz-related

Change-Id: Ifb6f22472a9e9c0be95131bf8f49985ccc17c483
author: Eike Rathke <erack@redhat.com> 2017-11-10 10:58:44 +0100
committer: Eike Rathke <erack@redhat.com> 2017-11-10 11:04:57 +0100
commit: 047cc1d976516c527f4c7051a98aade59c7494d9 (patch)
tree: 71e77669cfcb5c497e5f1439edcbc981e3406cfa
parent: 78bcc5ddca186f0009124a697184f332405d3e1e (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/sc/source/filter/inc/tokstack.hxx b/sc/source/filter/inc/tokstack.hxx
index 759e83e88f62..1e7e0eeb1582 100644
--- a/sc/source/filter/inc/tokstack.hxx
+++ b/sc/source/filter/inc/tokstack.hxx
@@ -330,16 +330,22 @@ inline TokenPool& TokenPool::operator <<( const TokenId& rId )
     // POST: rId's are stored consecutively in Pool under a new Id;
     //       finalize with >> or Store()
     // rId -> ( sal_uInt16 ) rId - 1;
-    if ((sal_uInt16)rId >= nScTokenOff)
+    sal_uInt16 nId = static_cast<sal_uInt16>(rId);
+    if (nId >= nScTokenOff)
     {
         SAL_WARN("sc.filter", "-TokenPool::operator <<: TokenId in DefToken-Range! " << static_cast<sal_uInt16>(rId));
+
+        // Do not "invent" OpCode values by arbitrarily mapping into the Calc
+        // space. This badly smells like an overflow or binary garbage, so
+        // treat as error.
+        nId = static_cast<sal_uInt16>(ocErrNull) + nScTokenOff + 1;
     }
 
     if( nP_IdAkt >= nP_Id )
         if (!GrowId())
             return *this;
 
-    pP_Id[ nP_IdAkt ] = ( ( sal_uInt16 ) rId ) - 1;
+    pP_Id[ nP_IdAkt ] = nId - 1;
     nP_IdAkt++;
 
     return *this;
author	Eike Rathke <erack@redhat.com>	2017-11-10 10:58:44 +0100
committer	Eike Rathke <erack@redhat.com>	2017-11-10 11:04:57 +0100
commit	047cc1d976516c527f4c7051a98aade59c7494d9 (patch)
tree	71e77669cfcb5c497e5f1439edcbc981e3406cfa
parent	78bcc5ddca186f0009124a697184f332405d3e1e (diff)