Avoid overflow with large row heights

With -fsanitize=float-cast-overflow, opening csv/fdo54919-3.csv as obtained by bin/get-bugzilla-attachments-by-mimetype (i.e., the attachment at <https://bugs.documentfoundation.org/show_bug.cgi?id=54919#c2>) fails first with > sc/source/core/data/column2.cxx:942:75: runtime error: 73940.3 is outside the range of representable values of type 'unsigned short' > #0 in ScColumn::GetOptimalHeight(sc::RowHeightContext&, int, int, unsigned short, int) at sc/source/core/data/column2.cxx:942:75 (instdir/program/../program/libsclo.so +0xc93bfaf) > #1 in (anonymous namespace)::GetOptimalHeightsInColumn(sc::RowHeightContext&, ScColContainer&, int, int, ScProgress*, unsigned long) at sc/source/core/data/table1.cxx:114:20 (instdir/program/../program/libsclo.so +0xe02fd57) > #2 in ScTable::SetOptimalHeight(sc::RowHeightContext&, int, int, ScProgress*, unsigned long) at sc/source/core/data/table1.cxx:466:5 (instdir/program/../program/libsclo.so +0xe02ec69) > #3 in ScDocument::SetOptimalHeight(sc::RowHeightContext&, int, int, short) at sc/source/core/data/document.cxx:4267:18 (instdir/program/../program/libsclo.so +0xd18bc12) > #4 in ScDocShell::AdjustRowHeight(int, int, short) at sc/source/ui/docshell/docsh5.cxx:411:32 (instdir/program/../program/libsclo.so +0x111eb5c6) > #5 in ScImportExport::ExtText2Doc(SvStream&) at sc/source/ui/docshell/impex.cxx:1469:29 (instdir/program/../program/libsclo.so +0x11498773) > #6 in ScImportExport::ImportStream(SvStream&, rtl::OUString const&, SotClipboardFormatId) at sc/source/ui/docshell/impex.cxx:379:13 (instdir/program/../program/libsclo.so +0x11492715) > #7 in ScDocShell::ConvertFrom(SfxMedium&) at sc/source/ui/docshell/docsh.cxx:1299:35 (instdir/program/../program/libsclo.so +0x110b0cee) > #8 in SfxObjectShell::DoLoad(SfxMedium*) at sfx2/source/doc/objstor.cxx:768:23 (instdir/program/libsfxlo.so +0x49d934a) [...] and then with > sc/source/core/data/fillinfo.cxx:216:59: runtime error: 113431 is outside the range of representable values of type 'unsigned short' > #0 in (anonymous namespace)::initRowInfo(ScDocument const*, RowInfo*, unsigned long, double, int, short, int&, unsigned long&, int&) at sc/source/core/data/fillinfo.cxx:216:59 (instdir/program/../program/libsclo.so +0xdb8ebcf) > #1 in ScDocument::FillInfo(ScTableInfo&, short, int, short, int, short, double, double, bool, bool, ScMarkData const*) at sc/source/core/data/fillinfo.cxx:401:5 (instdir/program/../program/libsclo.so +0xdb7896e) > #2 in ScPrintFunc::DrawToDev(ScDocument*, OutputDevice*, double, tools::Rectangle const&, ScViewData*, bool) at sc/source/ui/view/printfun.cxx:544:11 (instdir/program/../program/libsclo.so +0x1309d461) > #3 in ScDocShell::Draw(OutputDevice*, JobSetup const&, unsigned short) at sc/source/ui/docshell/docsh4.cxx:2036:9 (instdir/program/../program/libsclo.so +0x111aabd7) > #4 in SfxObjectShell::DoDraw_Impl(OutputDevice*, Point const&, Fraction const&, Fraction const&, JobSetup const&, unsigned short) at sfx2/source/doc/objembed.cxx:229:5 (instdir/program/libsfxlo.so +0x491e953) > #5 in SfxObjectShell::DoDraw(OutputDevice*, Point const&, Size const&, JobSetup const&, unsigned short) at sfx2/source/doc/objembed.cxx:176:9 (instdir/program/libsfxlo.so +0x491cbb3) > #6 in SfxObjectShell::CreatePreviewMetaFile_Impl(bool) const at sfx2/source/doc/objcont.cxx:171:40 (instdir/program/libsfxlo.so +0x48ffc5a) > #7 in SfxObjectShell::GetPreviewMetaFile(bool) const at sfx2/source/doc/objcont.cxx:118:12 (instdir/program/libsfxlo.so +0x48fdc15) > #8 in SfxPickListImpl::AddDocumentToPickList(SfxObjectShell*) at sfx2/source/appl/sfxpicklist.cxx:135:62 (instdir/program/libsfxlo.so +0x361c3e5) [...] These are similar to <https://gerrit.libreoffice.org/#/c/73267/> "Avoid overflow when scaling column width" and <https://gerrit.libreoffice.org/#/c/73273/> "Avoid overflow in ScColumn::GetOptimalColWidth", respectively, for column width calculations, and given csv/fdo54919-3.csv has a rather tall fifth row, these values do not look completely implausible---which of course begs the question whether sal_uInt16 is an appropriate data type here. But assuming sal_uInt16 is a useful choice, just clamp the calculated heights accordingly. (Using std::clamp, we can get rid of the following lines in initRowInfo that ensure nHeight >= 1.) Change-Id: I99f97c1dedcd8c6d2daa63f2e10011a3ce837fe4 Reviewed-on: https://gerrit.libreoffice.org/73278 Tested-by: Jenkins Reviewed-by: Eike Rathke <erack@redhat.com>
author: Stephan Bergmann <sbergman@redhat.com> 2019-05-31 16:31:18 +0200
committer: Eike Rathke <erack@redhat.com> 2019-06-03 19:00:36 +0200
commit: d4dd07320d931d8d979b6667bd894763d909cbb1 (patch)
tree: 3889515ad3f6a448b4d18242e959bd49c90f88be
parent: 3a4c4482ecdc7a7ef4dd944a49d17a9d30d27b78 (diff)
2 files changed, 9 insertions, 6 deletions
diff --git a/sc/source/core/data/column2.cxx b/sc/source/core/data/column2.cxx
index a29505584a27..0a54f877c0b1 100644
--- a/sc/source/core/data/column2.cxx
+++ b/sc/source/core/data/column2.cxx
@@ -939,9 +939,12 @@ void ScColumn::GetOptimalHeight(
                         {
                             aOptions.pPattern = pPattern;
                             const ScPatternAttr* pOldPattern = pPattern;
-                            sal_uInt16 nHeight = static_cast<sal_uInt16>( GetNeededSize( nRow, rCxt.getOutputDevice(), rCxt.getPPTX(), rCxt.getPPTY(),
-                                                        rCxt.getZoomX(), rCxt.getZoomY(), false, aOptions,
-                                                        &pPattern) / rCxt.getPPTY() );
+                            sal_uInt16 nHeight = static_cast<sal_uInt16>(
+                                std::min(
+                                    GetNeededSize( nRow, rCxt.getOutputDevice(), rCxt.getPPTX(), rCxt.getPPTY(),
+                                                   rCxt.getZoomX(), rCxt.getZoomY(), false, aOptions,
+                                                   &pPattern) / rCxt.getPPTY(),
+                                    double(std::numeric_limits<sal_uInt16>::max())));
                             if (nHeight > rHeights.getValue(nRow))
                                 rHeights.setValue(nRow, nRow, nHeight);
                             // Pattern changed due to calculation? => sync.
diff --git a/sc/source/core/data/fillinfo.cxx b/sc/source/core/data/fillinfo.cxx
index abe95752ff68..48749179a0a3 100644
--- a/sc/source/core/data/fillinfo.cxx
+++ b/sc/source/core/data/fillinfo.cxx
@@ -213,9 +213,9 @@ void initRowInfo(const ScDocument* pDoc, RowInfo* pRowInfo, const SCSIZE nMaxRow
             RowInfo* pThisRowInfo = &pRowInfo[rArrRow];
             pThisRowInfo->pCellInfo = nullptr;                 // is loaded below
 
-            sal_uInt16 nHeight = static_cast<sal_uInt16>( nDocHeight * fRowScale );
-            if (!nHeight)
-                nHeight = 1;
+            sal_uInt16 nHeight = static_cast<sal_uInt16>(
+                std::clamp(
+                    nDocHeight * fRowScale, 1.0, double(std::numeric_limits<sal_uInt16>::max())));
 
             pThisRowInfo->nRowNo        = nY;               //TODO: case < 0 ?
             pThisRowInfo->nHeight       = nHeight;
author	Stephan Bergmann <sbergman@redhat.com>	2019-05-31 16:31:18 +0200
committer	Eike Rathke <erack@redhat.com>	2019-06-03 19:00:36 +0200
commit	d4dd07320d931d8d979b6667bd894763d909cbb1 (patch)
tree	3889515ad3f6a448b4d18242e959bd49c90f88be
parent	3a4c4482ecdc7a7ef4dd944a49d17a9d30d27b78 (diff)