From 149b613ccfa929265df98fc534cc724264fbb776 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Fri, 27 Oct 2017 19:42:26 +0100
Subject: ofz#3840 Integer-overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Id32aa1c298f67c1ec7b56057cf162d947db7e713
Reviewed-on: https://gerrit.libreoffice.org/43965
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 sw/source/filter/ww8/ww8scan.cxx | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 5e6fa76aa4d0..8074ada87347 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1205,10 +1205,17 @@ WW8_FC WW8PLCFx_PCD::AktPieceStartCp2Fc( WW8_CP nCp )
     if( !bVer67 )
         nFC = WW8PLCFx_PCD::TransformPieceAddress( nFC, bIsUnicode );
 
-    WW8_CP nDistance = nCp - nCpStart;
+    WW8_CP nDistance;
+    bool bFail = o3tl::checked_sub(nCp, nCpStart, nDistance);
+    if (bFail)
+    {
+        SAL_WARN("sw.ww8", "broken offset, ignoring");
+        return WW8_FC_MAX;
+    }
+
     if (bIsUnicode)
     {
-        const bool bFail = o3tl::checked_multiply<WW8_CP>(nDistance, 2, nDistance);
+        bFail = o3tl::checked_multiply<WW8_CP>(nDistance, 2, nDistance);
         if (bFail)
         {
             SAL_WARN("sw.ww8", "broken offset, ignoring");
@@ -1217,7 +1224,7 @@ WW8_FC WW8PLCFx_PCD::AktPieceStartCp2Fc( WW8_CP nCp )
     }
 
     WW8_FC nRet;
-    const bool bFail = o3tl::checked_add(nFC, nDistance, nRet);
+    bFail = o3tl::checked_add(nFC, nDistance, nRet);
     if (bFail)
     {
         SAL_WARN("sw.ww8", "broken offset, ignoring");
-- 
cgit