From 483b96874a07dc2997367e5627f537686e92f851 Mon Sep 17 00:00:00 2001
From: Aron Budea <aron.budea@collabora.com>
Date: Sun, 13 Feb 2022 06:57:16 +0100
Subject: tdf#147014 Image missing due to integer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

32-bit awt::Point/Size/Rectangle cannot fit size of 1M rows with
larger (eg. 5x the usual) height, and could overflow.

This causes problems in 64-bit Linux builds and, since the
following commit, in 64-bit Windows builds:
3d90997fb6f232d8008df4d166d7b97b869c200f

For now, clamp possibly overflowing values to 32-bit.

Change-Id: Ifda7265703388abdfb47f523da4f0c5822358404
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129876
Tested-by: Jenkins
Reviewed-by: Luboš Luňák <l.lunak@collabora.com>
Reviewed-by: Aron Budea <aron.budea@collabora.com>
Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132168
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132205
---
 sc/qa/unit/data/xlsx/tdf147014.xlsx      | Bin 0 -> 8734 bytes
 sc/qa/unit/subsequent_filters-test2.cxx  |  17 +++++++++++++++++
 sc/source/filter/oox/worksheethelper.cxx |  24 +++++++++++++++++++-----
 3 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 sc/qa/unit/data/xlsx/tdf147014.xlsx

diff --git a/sc/qa/unit/data/xlsx/tdf147014.xlsx b/sc/qa/unit/data/xlsx/tdf147014.xlsx
new file mode 100644
index 000000000000..df4428795d9d
Binary files /dev/null and b/sc/qa/unit/data/xlsx/tdf147014.xlsx differ
diff --git a/sc/qa/unit/subsequent_filters-test2.cxx b/sc/qa/unit/subsequent_filters-test2.cxx
index d6b738d43c33..e9b06e3470b7 100644
--- a/sc/qa/unit/subsequent_filters-test2.cxx
+++ b/sc/qa/unit/subsequent_filters-test2.cxx
@@ -202,6 +202,7 @@ public:
     void testDrawCircleInMergeCells();
     void testDeleteCirclesInRowAndCol();
     void testTdf129940();
+    void testTdf147014();
     void testTdf139763ShapeAnchor();
     void testAutofilterNamedRangesXLSX();
     void testInvalidBareBiff5();
@@ -309,6 +310,7 @@ public:
     CPPUNIT_TEST(testDrawCircleInMergeCells);
     CPPUNIT_TEST(testDeleteCirclesInRowAndCol);
     CPPUNIT_TEST(testTdf129940);
+    CPPUNIT_TEST(testTdf147014);
     CPPUNIT_TEST(testTdf139763ShapeAnchor);
     CPPUNIT_TEST(testAutofilterNamedRangesXLSX);
     CPPUNIT_TEST(testInvalidBareBiff5);
@@ -2830,6 +2832,21 @@ void ScFiltersTest2::testTdf129940()
     xDocSh->DoClose();
 }
 
+void ScFiltersTest2::testTdf147014()
+{
+    ScDocShellRef xDocSh = loadDoc(u"tdf147014.", FORMAT_XLSX);
+    CPPUNIT_ASSERT_MESSAGE("Failed to load tdf147014.xlsx", xDocSh.is());
+    uno::Reference<frame::XModel> xModel = xDocSh->GetModel();
+    uno::Reference<sheet::XSpreadsheetDocument> xDoc(xModel, uno::UNO_QUERY_THROW);
+    uno::Reference<container::XIndexAccess> xIA(xDoc->getSheets(), uno::UNO_QUERY_THROW);
+    uno::Reference<drawing::XDrawPageSupplier> xDrawPageSupplier(xIA->getByIndex(0),
+                                                                 uno::UNO_QUERY_THROW);
+    xIA.set(xDrawPageSupplier->getDrawPage(), uno::UNO_QUERY_THROW);
+    // The sheet has a single shape, without the fix it was not imported, except in 32-bit builds
+    CPPUNIT_ASSERT_EQUAL_MESSAGE("Shape not imported", static_cast<sal_Int32>(1), xIA->getCount());
+    xDocSh->DoClose();
+}
+
 void ScFiltersTest2::testTdf139763ShapeAnchor()
 {
     ScDocShellRef xDocSh = loadDoc(u"tdf139763ShapeAnchor.", FORMAT_XLSX);
diff --git a/sc/source/filter/oox/worksheethelper.cxx b/sc/source/filter/oox/worksheethelper.cxx
index 6d07bfd57cad..6780db7f9258 100644
--- a/sc/source/filter/oox/worksheethelper.cxx
+++ b/sc/source/filter/oox/worksheethelper.cxx
@@ -76,6 +76,7 @@
 #include <editeng/editobj.hxx>
 #include <editeng/flditem.hxx>
 #include <tools/UnitConversion.hxx>
+#include <tools/gen.hxx>
 
 namespace oox::xls {
 
@@ -96,6 +97,18 @@ void lclUpdateProgressBar( const ISegmentProgressBarRef& rxProgressBar, double f
         rxProgressBar->setPosition( fPosition );
 }
 
+// TODO Needed because input might be >32-bit (in 64-bit builds),
+//  or a negative, already overflown value (in 32-bit builds)
+sal_Int32 lclClampToNonNegativeInt32( tools::Long aVal )
+{
+    if ( aVal > SAL_MAX_INT32 || aVal < 0 )
+    {
+        SAL_WARN( "sc.filter", "Overflow detected, " << aVal << " does not fit into sal_Int32, or is negative." );
+        return SAL_MAX_INT32;
+    }
+    return static_cast<sal_Int32>( aVal );
+}
+
 } // namespace
 
 ColumnModel::ColumnModel() :
@@ -538,9 +551,9 @@ const awt::Size& WorksheetGlobals::getDrawPageSize() const
 
 awt::Point WorksheetGlobals::getCellPosition( sal_Int32 nCol, sal_Int32 nRow ) const
 {
-    awt::Point aPoint;
-    PropertySet aCellProp( getCell( ScAddress( nCol, nRow, getSheetIndex() ) ) );
-    aCellProp.getProperty( aPoint, PROP_Position );
+    const tools::Rectangle aMMRect( getScDocument().GetMMRect( nCol, nRow, nCol, nRow, getSheetIndex() ) );
+    awt::Point aPoint( lclClampToNonNegativeInt32( aMMRect.Left() ),
+                       lclClampToNonNegativeInt32( aMMRect.Top() ) );
     return aPoint;
 }
 
@@ -1360,8 +1373,9 @@ void WorksheetGlobals::groupColumnsOrRows( sal_Int32 nFirstColRow, sal_Int32 nLa
 void WorksheetGlobals::finalizeDrawings()
 {
     // calculate the current drawing page size (after rows/columns are imported)
-    PropertySet aRangeProp( getCellRange( ScRange( 0, 0, getSheetIndex(), mrMaxApiPos.Col(), mrMaxApiPos.Row(), getSheetIndex() ) ) );
-    aRangeProp.getProperty( maDrawPageSize, PROP_Size );
+    const Size aPageSize( getScDocument().GetMMRect( 0, 0, mrMaxApiPos.Col(), mrMaxApiPos.Row(), getSheetIndex() ).GetSize() );
+    maDrawPageSize.Width = lclClampToNonNegativeInt32( aPageSize.Width() );
+    maDrawPageSize.Height = lclClampToNonNegativeInt32( aPageSize.Height() );
 
     // import DML and VML
     if( !maDrawingPath.isEmpty() )
-- 
cgit