lokdocview: guard against int overflow

If a too large rectangle is parsed, the width or the height may be
larger than std::numeric_limits<int>::max(), in that case just set
width/height to that max value, instead of allowing an overflow.

Change-Id: Ic01319b01a3f9286501c346ea765868be57466a1

1 files changed, 10 insertions, 2 deletions

diff --git a/libreofficekit/source/gtk/lokdocview.cxx b/libreofficekit/source/gtk/lokdocview.cxx
index 195335c6a531..d8f2074511ee 100644
--- a/libreofficekit/source/gtk/lokdocview.cxx
+++ b/libreofficekit/source/gtk/lokdocview.cxx
@@ -1035,13 +1035,21 @@ payloadToRectangle (LOKDocView* pDocView, const char* pPayload)
     ++ppCoordinate;
     if (!*ppCoordinate)
         return aRet;
-    aRet.width = atoi(*ppCoordinate);
+    long l = atol(*ppCoordinate);
+    if (l > std::numeric_limits<int>::max())
+        aRet.width = std::numeric_limits<int>::max();
+    else
+        aRet.width = l;
     if (aRet.x + aRet.width > priv->m_nDocumentWidthTwips)
         aRet.width = priv->m_nDocumentWidthTwips - aRet.x;
     ++ppCoordinate;
     if (!*ppCoordinate)
         return aRet;
-    aRet.height = atoi(*ppCoordinate);
+    l = atol(*ppCoordinate);
+    if (l > std::numeric_limits<int>::max())
+        aRet.height = std::numeric_limits<int>::max();
+    else
+        aRet.height = l;
     if (aRet.y + aRet.height > priv->m_nDocumentHeightTwips)
         aRet.height = priv->m_nDocumentHeightTwips - aRet.y;
     g_strfreev(ppCoordinates);