Avoid uncontrolled overflow in SwTable::GetBoxNum

...where bad input like "WRONG CELL NAME" (in PythonTest_sw_python's
sw/qa/python/check_xtexttable.py) could wrap around to a valid but wrong nRet.
Instead, return SAL_MAX_UINT16 upon overflow.  At least the call to GetBoxNum in
SwTable::GetTableBox (sw/source/core/table/swtable.cxx) with bFirstPart
potentially true, assigning to nBox, then later checks

if( nBox >= pBoxes->size() )
return nullptr;

so returning SAL_MAX_UINT16 upon overflow appears to be the best choice.

(Found with Clang's -fsanitize=implicit-signed-integer-truncation.)

Change-Id: I12822a6bd4f0269adb14c04eefbd1cde4d288728
Reviewed-on: https://gerrit.libreoffice.org/68203
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/sw/source/core/table/swtable.cxx b/sw/source/core/table/swtable.cxx
index 0f2b5aee412a..18050a1e0202 100644
--- a/sw/source/core/table/swtable.cxx
+++ b/sw/source/core/table/swtable.cxx
@@ -1291,6 +1291,8 @@ sal_uInt16 SwTable::GetBoxNum( OUString& rStr, bool bFirstPart,
         sal_Int32 nPos = 0;
         // the first one uses letters for addressing!
         bool bFirst = true;
+        sal_uInt32 num = 0;
+        bool overflow = false;
         while (nPos<rStr.getLength())
         {
             sal_Unicode cChar = rStr[nPos];
@@ -1301,10 +1303,14 @@ sal_uInt16 SwTable::GetBoxNum( OUString& rStr, bool bFirstPart,
             if( bFirst )
                 bFirst = false;
             else
-                ++nRet;
-            nRet = nRet * 52 + cChar;
+                ++num;
+            num = num * 52 + cChar;
+            if (num > SAL_MAX_UINT16) {
+                overflow = true;
+            }
             ++nPos;
         }
+        nRet = overflow ? SAL_MAX_UINT16 : num;
         rStr = rStr.copy( nPos );      // Remove char from String
     }
     else