From ab2da32b380e068bb131bca6f28c62c0bb9c9fdb Mon Sep 17 00:00:00 2001
From: Miklos Vajna <vmiklos@collabora.co.uk>
Date: Tue, 20 Sep 2016 17:04:50 +0200
Subject: lokdocview: guard against int overflow

If a too large rectangle is parsed, the width or the height may be
larger than std::numeric_limits<int>::max(), in that case just set
width/height to that max value, instead of allowing an overflow.

Change-Id: Ic01319b01a3f9286501c346ea765868be57466a1
(cherry picked from commit 28447258fb6d9b8246f2a96d1a86945ef255d110)
---
 libreofficekit/source/gtk/lokdocview.cxx | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libreofficekit/source/gtk/lokdocview.cxx b/libreofficekit/source/gtk/lokdocview.cxx
index d3c4974d927f..786d827d92d5 100644
--- a/libreofficekit/source/gtk/lokdocview.cxx
+++ b/libreofficekit/source/gtk/lokdocview.cxx
@@ -1019,13 +1019,21 @@ payloadToRectangle (LOKDocView* pDocView, const char* pPayload)
     ++ppCoordinate;
     if (!*ppCoordinate)
         return aRet;
-    aRet.width = atoi(*ppCoordinate);
+    long l = atol(*ppCoordinate);
+    if (l > std::numeric_limits<int>::max())
+        aRet.width = std::numeric_limits<int>::max();
+    else
+        aRet.width = l;
     if (aRet.x + aRet.width > priv->m_nDocumentWidthTwips)
         aRet.width = priv->m_nDocumentWidthTwips - aRet.x;
     ++ppCoordinate;
     if (!*ppCoordinate)
         return aRet;
-    aRet.height = atoi(*ppCoordinate);
+    l = atol(*ppCoordinate);
+    if (l > std::numeric_limits<int>::max())
+        aRet.height = std::numeric_limits<int>::max();
+    else
+        aRet.height = l;
     if (aRet.y + aRet.height > priv->m_nDocumentHeightTwips)
         aRet.height = priv->m_nDocumentHeightTwips - aRet.y;
     g_strfreev(ppCoordinates);
-- 
cgit