ofz#67577 Integer-overflow

Change-Id: I3828bb76ab7808ac0717b33c231927730216b42b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165216
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
(cherry picked from commit 035f87f7ed8775c30c6f84d7d02bc72a66182c63)

1 files changed, 15 insertions, 2 deletions

diff --git a/sc/source/filter/html/htmlpars.cxx b/sc/source/filter/html/htmlpars.cxx
index 57c06fc23dd0..1de06c9694b8 100644
--- a/sc/source/filter/html/htmlpars.cxx
+++ b/sc/source/filter/html/htmlpars.cxx
@@ -50,6 +50,7 @@
 #include <osl/diagnose.h>
 
 #include <rtl/tencinfo.h>
+#include <o3tl/safeint.hxx>
 
 #include <htmlpars.hxx>
 #include <global.hxx>
@@ -434,8 +435,20 @@ void ScHTMLLayoutParser::SkipLocked( ScEEParseEntry* pE, bool bJoin )
     {   // Or else this would create a wrong value at ScAddress (chance for an infinite loop)!
         bool bBadCol = false;
         bool bAgain;
-        ScRange aRange( pE->nCol, pE->nRow, 0,
-            pE->nCol + pE->nColOverlap - 1, pE->nRow + pE->nRowOverlap - 1, 0 );
+
+        SCCOL nEndCol(0);
+        SCROW nEndRow(0);
+        bool bFail = o3tl::checked_add<SCCOL>(pE->nCol, pE->nColOverlap - 1, nEndCol) ||
+                     o3tl::checked_add<SCROW>(pE->nRow, pE->nRowOverlap - 1, nEndRow);
+
+        if (bFail)
+        {
+            SAL_WARN("sc", "invalid range: " << pE->nCol << " " << pE->nColOverlap <<
+                                         " " << pE->nRow << " " << pE->nRowOverlap);
+            return;
+        }
+
+        ScRange aRange(pE->nCol, pE->nRow, 0, nEndCol, nEndRow, 0);
         do
         {
             bAgain = false;