diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-10-24 13:31:28 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-10-25 09:55:56 +0200 |
| commit | fbefa7cb11f4c76c198b724f506918f5c568518c (patch) | |
| tree | e16a2ba9b97a8a248a3a38b26621cda2e2a05e81 /sw | |
| parent | 5bc60b8d1a6be30308c829ad8f8fb5416fd874db (diff) | |
ofz#3756 Integer-overflow
Change-Id: I2b3423941c3c25961aafc5c4b55c4cc76289c8cf
Reviewed-on: https://gerrit.libreoffice.org/43768
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 7e67fb9f5c1a..12cb59cd2698 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -3361,8 +3361,17 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) nFcStart,bIsUnicode ); } - nLimitFC = nFcStart + (nCpEnd - nCpStart) * - (bIsUnicode ? 2 : 1); + WW8_CP nCpLen = (nCpEnd - nCpStart); + if (bIsUnicode) + { + const bool bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + continue; + } + } + nLimitFC = nFcStart + nCpLen; //if it doesn't exist, skip it if (!SeekPos(nCpStart)) |