External data must be checked when parsed

Change-Id: I8bc5afb29fe22a4b06462a7c61b689c88c41003f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158938
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>

1 files changed, 14 insertions, 10 deletions

diff --git a/desktop/source/lib/init.cxx b/desktop/source/lib/init.cxx
index 92628177cb66..71eeabcbc380 100644
--- a/desktop/source/lib/init.cxx
+++ b/desktop/source/lib/init.cxx
@@ -542,34 +542,38 @@ RectangleAndPart RectangleAndPart::Create(const OString& rPayload)
     const char* pos = rPayload.getStr();
     const char* end = rPayload.getStr() + rPayload.getLength();
     tools::Long nLeft = rtl_str_toInt64_WithLength(pos, 10, end - pos);
-    while( *pos != ',' )
+    while (pos < end && *pos != ',')
+        ++pos;
+    if (pos < end)
         ++pos;
-    ++pos;
     assert(pos < end);
     tools::Long nTop = rtl_str_toInt64_WithLength(pos, 10, end - pos);
-    while( *pos != ',' )
+    while (pos < end && *pos != ',')
+        ++pos;
+    if (pos < end)
         ++pos;
-    ++pos;
     assert(pos < end);
     tools::Long nWidth = rtl_str_toInt64_WithLength(pos, 10, end - pos);
-    while( *pos != ',' )
+    while (pos < end && *pos != ',')
+        ++pos;
+    if (pos < end)
         ++pos;
-    ++pos;
     assert(pos < end);
     tools::Long nHeight = rtl_str_toInt64_WithLength(pos, 10, end - pos);
     tools::Long nPart = INT_MIN;
     tools::Long nMode = 0;
     if (comphelper::LibreOfficeKit::isPartInInvalidation())
     {
-        while( *pos != ',' )
+        while (pos < end && *pos != ',')
+            ++pos;
+        if (pos < end)
             ++pos;
-        ++pos;
         assert(pos < end);
         nPart = rtl_str_toInt64_WithLength(pos, 10, end - pos);
 
-        while( *pos && *pos != ',' )
+        while (pos < end && *pos != ',')
             ++pos;
-        if (*pos)
+        if (pos < end)
         {
             ++pos;
             assert(pos < end);