ofz#4213 Integer-overflow

Change-Id: Ice22ad92a82971f34c01d2c16fc3d4805b1fd5f3
Reviewed-on: https://gerrit.libreoffice.org/44742
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 35 insertions, 2 deletions

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index e7d37be5fd87..1b24c6686aad 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1264,8 +1264,41 @@ WW8_CP WW8PLCFx_PCD::AktPieceStartFc2Cp( WW8_FC nStartPos )
     if( nStartPos < nFcStart )
         nStartPos = nFcStart;
 
-    if( nStartPos >= nFcStart + (nCpEnd - nCpStart)     * nUnicodeFactor )
-        nStartPos  = nFcStart + (nCpEnd - nCpStart - 1) * nUnicodeFactor;
+    WW8_CP nCpLen;
+    bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen);
+    if (bFail)
+    {
+        SAL_WARN("sw.ww8", "broken offset, ignoring");
+        return WW8_CP_MAX;
+    }
+
+    WW8_CP nCpLenBytes;
+    bFail = o3tl::checked_multiply(nCpLen, nUnicodeFactor, nCpLenBytes);
+    if (bFail)
+    {
+        SAL_WARN("sw.ww8", "broken offset, ignoring");
+        return WW8_CP_MAX;
+    }
+
+    WW8_FC nFcLen;
+    bFail = o3tl::checked_add(nFcStart, nCpLenBytes, nFcLen);
+    if (bFail)
+    {
+        SAL_WARN("sw.ww8", "broken offset, ignoring");
+        return WW8_CP_MAX;
+    }
+
+    WW8_FC nFcEnd;
+    bFail = o3tl::checked_add(nFcStart, nFcLen, nFcEnd);
+    if (bFail)
+    {
+        SAL_WARN("sw.ww8", "broken offset, ignoring");
+        return WW8_CP_MAX;
+    }
+
+
+    if (nStartPos >= nFcEnd)
+        nStartPos = nFcEnd - (1 * nUnicodeFactor);
 
     return nCpStart + (nStartPos - nFcStart) / nUnicodeFactor;
 }