From 14ce4b337232f8fb21cc67e7a2844a7de81dfc4c Mon Sep 17 00:00:00 2001
From: Umesh Kadam <umesh.kadam@synerzip.com>
Date: Thu, 29 May 2014 12:59:13 +0530
Subject: fdo#78906 : File crashes while opening.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Handled a memory corruption.

Change-Id: I195d17bcd0a9a86bcc96cc7ad14f1d5f2908cf8c
Reviewed-on: https://gerrit.libreoffice.org/9545
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 vcl/generic/glyphs/scrptrun.cxx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'vcl')

diff --git a/vcl/generic/glyphs/scrptrun.cxx b/vcl/generic/glyphs/scrptrun.cxx
index 9e8eef000917..f72d296f060d 100644
--- a/vcl/generic/glyphs/scrptrun.cxx
+++ b/vcl/generic/glyphs/scrptrun.cxx
@@ -207,7 +207,14 @@ UBool ScriptRun::next()
             // pop it from the stack
             if (pairIndex >= 0 && (pairIndex & 1) != 0 && parenSP >= 0) {
                 parenSP -= 1;
-                startSP -= 1;
+                /* decrement startSP only if it is >= 0,
+                   decrementing it unnecessarily will lead to memory corruption
+                   while processing the above while block.
+                   e.g. startSP = -4 , parenSP = -1
+                */
+                if (startSP >= 0) {
+                    startSP -= 1;
+                }
             }
         } else {
             // if the run broke on a surrogate pair,
-- 
cgit