ofz+ubsan: signed integer overflow

Change-Id: Ie291f5f4e705ad3d2aeecc9fa26b1247974e2aa2 Reviewed-on: https://gerrit.libreoffice.org/43545 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2017-10-19 13:06:07 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2017-10-19 21:26:43 +0200
commit: 02d4421687c1dba797153d9b71c01cf98d1537fb (patch)
tree: fa1e42c3047cb3d515630d75df76551a80ea5bc7 /sw
parent: d54e58616600330e8eb9ba7d5f4598f3b674d643 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 61d4ff7b2908..240ebbc3057e 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -39,7 +39,7 @@
 #include <unotools/localedatawrapper.hxx>
 #include <i18nlangtag/lang.h>
 #include <editeng/unolingu.hxx>
-
+#include <o3tl/safeint.hxx>
 #include <tools/stream.hxx>
 
 #include <vcl/settings.hxx>
@@ -1495,8 +1495,18 @@ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
         return nRet;
     }
 
+    if (*pIsUnicode)
+    {
+        const bool bFail = o3tl::checked_multiply<WW8_CP>(nCpPos, 2, nCpPos);
+        if (bFail)
+        {
+            SAL_WARN("sw.ww8", "broken offset, ignoring");
+            return WW8_CP_MAX;
+        }
+    }
+
     // No complex file
-    return m_pWw8Fib->m_fcMin + nCpPos * (*pIsUnicode ? 2 : 1);
+    return m_pWw8Fib->m_fcMin + nCpPos;
 }
 
 //      class WW8ScannerBase
author	Caolán McNamara <caolanm@redhat.com>	2017-10-19 13:06:07 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2017-10-19 21:26:43 +0200
commit	02d4421687c1dba797153d9b71c01cf98d1537fb (patch)
tree	fa1e42c3047cb3d515630d75df76551a80ea5bc7 /sw
parent	d54e58616600330e8eb9ba7d5f4598f3b674d643 (diff)