From 03e5263dbedcf7650722f0b1bc18ce069e4ce244 Mon Sep 17 00:00:00 2001
From: Eike Rathke <erack@redhat.com>
Date: Fri, 6 Jan 2017 17:38:39 +0100
Subject: check length of string as this can be called untokenized, tdf#105024
 related

i.e. during import of ODFF

Change-Id: I7f5419d393f89d8a84efca7444e8dde3a3e9199f
(cherry picked from commit b36bf9f567f5b531f526dad6776c84e06203396f)
Reviewed-on: https://gerrit.libreoffice.org/32791
Reviewed-by: Eike Rathke <erack@redhat.com>
Tested-by: Jenkins <ci@libreoffice.org>
---
 formula/source/core/api/FormulaCompiler.cxx | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'formula')

diff --git a/formula/source/core/api/FormulaCompiler.cxx b/formula/source/core/api/FormulaCompiler.cxx
index 66c92fb08e3f..a271410d5a65 100644
--- a/formula/source/core/api/FormulaCompiler.cxx
+++ b/formula/source/core/api/FormulaCompiler.cxx
@@ -1188,8 +1188,9 @@ FormulaError FormulaCompiler::GetErrorConstant( const OUString& rName ) const
     else
     {
         // Per convention recognize detailed "#ERRxxx!" constants, always
-        // untranslated.
-        if (rName.startsWithIgnoreAsciiCase("#ERR") && rName[rName.getLength()-1] == '!')
+        // untranslated. Error numbers are sal_uInt16 so at most 5 decimal
+        // digits.
+        if (rName.startsWithIgnoreAsciiCase("#ERR") && rName.getLength() <= 10 && rName[rName.getLength()-1] == '!')
         {
             sal_uInt32 nErr = rName.copy( 4, rName.getLength() - 5).toUInt32();
             if (0 < nErr && nErr <= SAL_MAX_UINT16 && isPublishedFormulaError(static_cast<FormulaError>(nErr)))
-- 
cgit