From 96ab492b74d9e64051d82f220f65cadedf34a878 Mon Sep 17 00:00:00 2001
From: Mike Kaganski <mike.kaganski@collabora.com>
Date: Mon, 13 Jan 2020 18:48:30 +0300
Subject: tdf#129360: fix old unsigned underflow

... discovered thanks to 62f3f3d92aa204eaaa063b30d7ade44df501b997:
properties count may be 0, and unconditionally subtracting 3 from
that will give a big number. Previously this was masked by a "Very
Hot Fix" in SbxArray::GetRef that was dropped in the said commit.

This unifies property count correction in the two places that use
it: in WatchTreeListBox::RequestingChildren, where it was correct,
and in WatchTreeListBox::UpdateWatches, where underflow happened.

Change-Id: Ie980bc9571b2555cc2f643e770d824d5e2eb3731
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86700
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
---
 basctl/source/basicide/baside2b.cxx | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

(limited to 'basctl')

diff --git a/basctl/source/basicide/baside2b.cxx b/basctl/source/basicide/baside2b.cxx
index 83fe6a481768..c6c954d36013 100644
--- a/basctl/source/basicide/baside2b.cxx
+++ b/basctl/source/basicide/baside2b.cxx
@@ -2119,6 +2119,19 @@ void WatchTreeListBox::SetTabs()
     }
 }
 
+static sal_uInt32 getCorrectedPropCount(SbxArray* p)
+{
+    sal_uInt32 nPropCount = p->Count32();
+    if (nPropCount >= 3
+        && p->Get32(nPropCount - 1)->GetName().equalsIgnoreAsciiCase("Dbg_Methods")
+        && p->Get32(nPropCount - 2)->GetName().equalsIgnoreAsciiCase("Dbg_Properties")
+        && p->Get32(nPropCount - 3)->GetName().equalsIgnoreAsciiCase("Dbg_SupportedInterfaces"))
+    {
+        nPropCount -= 3;
+    }
+    return nPropCount;
+}
+
 void WatchTreeListBox::RequestingChildren( SvTreeListEntry * pParent )
 {
     if( !StarBASIC::IsRunning() )
@@ -2144,14 +2157,7 @@ void WatchTreeListBox::RequestingChildren( SvTreeListEntry * pParent )
     {
         createAllObjectProperties( pObj );
         SbxArray* pProps = pObj->GetProperties();
-        sal_uInt32 nPropCount = pProps->Count32();
-        if ( nPropCount >= 3 &&
-             pProps->Get32( nPropCount -1 )->GetName().equalsIgnoreAsciiCase( "Dbg_Methods" ) &&
-             pProps->Get32( nPropCount -2 )->GetName().equalsIgnoreAsciiCase( "Dbg_Properties" ) &&
-             pProps->Get32( nPropCount -3 )->GetName().equalsIgnoreAsciiCase( "Dbg_SupportedInterfaces" ) )
-        {
-            nPropCount -= 3;
-        }
+        const sal_uInt32 nPropCount = getCorrectedPropCount(pProps);
         pItem->maMemberList.reserve(nPropCount);
 
         for( sal_uInt32 i = 0 ; i < nPropCount ; ++i )
@@ -2488,8 +2494,8 @@ void WatchTreeListBox::UpdateWatches( bool bBasicStopped )
                         {
                             bool bObjChanged = false; // Check if member list has changed
                             SbxArray* pProps = pObj->GetProperties();
-                            sal_uInt32 nPropCount = pProps->Count32();
-                            for( sal_uInt32 i = 0 ; i < nPropCount - 3 ; i++ )
+                            const sal_uInt32 nPropCount = getCorrectedPropCount(pProps);
+                            for( sal_uInt32 i = 0 ; i < nPropCount ; i++ )
                             {
                                 SbxVariable* pVar_ = pProps->Get32( i );
                                 if( pItem->maMemberList[i] != pVar_->GetName() )
-- 
cgit