diff options
| author | Armin Le Grand <Armin.Le.Grand@me.com> | 2015-11-03 12:25:13 +0100 |
|---|---|---|
| committer | Katarina Behrens <Katarina.Behrens@cib.de> | 2015-11-04 11:29:21 +0000 |
| commit | f0cef70cd4164342b218fbee34bf57eedc22c998 (patch) | |
| tree | edf7a6e44f54a8eb6b5ed6179e8e5157fa001872 /sd | |
| parent | 4340cc7a63c3a94a7b95e014a501b44d886e18bb (diff) | |
tdf#95298: corrected some out-of-bound accesses to array
the index variable m_FrameList used to reference the current frame uses
the state EMTY_FRAMELIST to mark as invalid, which is the max integer
number. Thus all usages have to be secured to not use m_FrameList
if set to EMPTY_FRAMELIST. This was missing in some places.
the max integer
number. Thus all usages have to be secured to not use m_FrameList
if set to EMPTY_FRAMELIST. This was missing in some places.
Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8
Reviewed-on: https://gerrit.libreoffice.org/19753
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de>
Diffstat (limited to 'sd')
| -rw-r--r-- | sd/source/ui/dlg/animobjs.cxx | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/sd/source/ui/dlg/animobjs.cxx b/sd/source/ui/dlg/animobjs.cxx index c2d83e45f548..2c2f4ee13183 100644 --- a/sd/source/ui/dlg/animobjs.cxx +++ b/sd/source/ui/dlg/animobjs.cxx @@ -420,7 +420,8 @@ IMPL_LINK_TYPED( AnimationWindow, ClickRemoveBitmapHdl, Button*, pBtn, void ) SdPage* pPage = pMyDoc->GetSdPage(0, PK_STANDARD); SdrObject* pObject; - if (pBtn == m_pBtnRemoveBitmap) + // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access + if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST != m_nCurrentFrame) { delete m_FrameList[m_nCurrentFrame].first; delete m_FrameList[m_nCurrentFrame].second; @@ -439,8 +440,8 @@ IMPL_LINK_TYPED( AnimationWindow, ClickRemoveBitmapHdl, Button*, pBtn, void ) if (m_nCurrentFrame >= m_FrameList.size()) { - assert(m_FrameList.empty()); - m_nCurrentFrame = EMPTY_FRAMELIST; + // tdf#95298 last frame was deleted, try to use the one before it or go on empty state + m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST : m_FrameList.size() - 1; } } else // delete everything @@ -522,7 +523,8 @@ IMPL_LINK_NOARG_TYPED(AnimationWindow, ModifyTimeHdl, Edit&, void) void AnimationWindow::UpdateControl(bool const bDisableCtrls) { - if (!m_FrameList.empty()) + // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access + if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame) { BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first); |