ofz#3756 Integer-overflow

Change-Id: I2b3423941c3c25961aafc5c4b55c4cc76289c8cf
Reviewed-on: https://gerrit.libreoffice.org/43768
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 11 insertions, 2 deletions

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 7e67fb9f5c1a..12cb59cd2698 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3361,8 +3361,17 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p)
                                     nFcStart,bIsUnicode );
                             }
 
-                            nLimitFC = nFcStart + (nCpEnd - nCpStart) *
-                                (bIsUnicode ? 2 : 1);
+                            WW8_CP nCpLen = (nCpEnd - nCpStart);
+                            if (bIsUnicode)
+                            {
+                                const bool bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen);
+                                if (bFail)
+                                {
+                                    SAL_WARN("sw.ww8", "broken offset, ignoring");
+                                    continue;
+                                }
+                            }
+                            nLimitFC = nFcStart + nCpLen;
 
                             //if it doesn't exist, skip it
                             if (!SeekPos(nCpStart))