diff options
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index e2a2a87f9daa..3f5d39c8f3c8 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -3346,8 +3346,33 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) bIsUnicode); } - nLimitFC = nBeginLimitFC + - (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1); + WW8_CP nCpLen; + bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + pPieceIter->SetIdx(nOldPos); + return; + } + + if (bIsUnicode) + { + bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + pPieceIter->SetIdx(nOldPos); + return; + } + } + + bFail = o3tl::checked_add(nBeginLimitFC, nCpLen, nLimitFC); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + pPieceIter->SetIdx(nOldPos); + return; + } if (nOldEndPos <= nLimitFC) { @@ -3398,8 +3423,7 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) nFcStart,bIsUnicode ); } - WW8_CP nCpLen; - bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen); + bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen); if (bFail) { SAL_WARN("sw.ww8", "broken offset, ignoring"); |