Hi,
I have submitted a patch for review:
https://gerrit.libreoffice.org/3340
To pull it, you can do:
git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/40/3340/1
prevent vector and sequence out of bounds access, fdo#60300
This fixes the symptom of the crash but not the underlying cause why a
subtotal count would be wrong.
(cherry picked from commit 8bd3be9915ff28458d010fc8f0a1a1ab66d730b0)
Conflicts:
sc/source/core/data/dpoutput.cxx
Change-Id: I3782b5e39f18bc65ffe510b847ffa7969a26cd37
---
M sc/source/core/data/dpoutput.cxx
1 file changed, 42 insertions(+), 12 deletions(-)
diff --git a/sc/source/core/data/dpoutput.cxx b/sc/source/core/data/dpoutput.cxx
index d78f83e..380e1f3 100644
--- a/sc/source/core/data/dpoutput.cxx
+++ b/sc/source/core/data/dpoutput.cxx
@@ -1707,11 +1707,19 @@
{
// grand total is always automatic
sal_Int32 nDataPos = j - ( nSize - nGrandTotals );
- OSL_ENSURE( nDataPos < (sal_Int32)rDataNames.size(), "wrong data count" );
- rtl::OUString aSourceName( rDataNames[nDataPos] ); // vector contains
source names
- rtl::OUString aGivenName( rGivenNames[nDataPos] );
+ if (nDataPos >= 0 && nDataPos < (sal_Int32)rDataNames.size() &&
+ nDataPos < (sal_Int32)rGivenNames.size())
+ {
+ OUString aSourceName( rDataNames[nDataPos] ); // vector contains
source names
+ OUString aGivenName( rGivenNames[nDataPos] );
- rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ }
+ else
+ {
+ OSL_FAIL( "wrong data count for grand total" );
+ rResult[j] = false;
+ }
}
}
@@ -1747,27 +1755,49 @@
rtl::OUString aSourceName( rDataNames[nDataPos] ); // vector
contains source names
rtl::OUString aGivenName( rGivenNames[nDataPos] );
- OSL_ENSURE( nFuncPos < aSubTotals.getLength(), "wrong subtotal count" );
- rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName ) &&
+ if (nFuncPos < aSubTotals.getLength())
+ {
+ rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName )
&&
aSubTotals[nFuncPos] == aFilter.meFunction;
+ }
+ else
+ {
+ OSL_FAIL( "wrong subtotal count for manual subtotals and several data
fields" );
+ rResult[j] = false;
+ }
}
else
{
// manual subtotals for a single data field
- OSL_ENSURE( nSubTotalCount < aSubTotals.getLength(), "wrong subtotal
count" );
- rResult[j] = ( aSubTotals[nSubTotalCount] == aFilter.meFunction );
+ if (nSubTotalCount < aSubTotals.getLength())
+ {
+ rResult[j] = ( aSubTotals[nSubTotalCount] == aFilter.meFunction );
+ }
+ else
+ {
+ OSL_FAIL( "wrong subtotal count for manual subtotals for a single data
field" );
+ rResult[j] = false;
+ }
}
}
else // automatic subtotals
{
if ( rBeforeDataLayout )
{
- OSL_ENSURE( nSubTotalCount < (sal_Int32)rDataNames.size(), "wrong data
count" );
- rtl::OUString aSourceName( rDataNames[nSubTotalCount] ); // vector
contains source names
- rtl::OUString aGivenName( rGivenNames[nSubTotalCount] );
+ if (nSubTotalCount < (sal_Int32)rDataNames.size() &&
+ nSubTotalCount < (sal_Int32)rGivenNames.size())
+ {
+ OUString aSourceName( rDataNames[nSubTotalCount] ); // vector
contains source names
+ OUString aGivenName( rGivenNames[nSubTotalCount] );
- rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ rResult[j] = lcl_IsNamedDataField( rTarget, aSourceName, aGivenName );
+ }
+ else
+ {
+ OSL_FAIL( "wrong data count for automatic subtotals" );
+ rResult[j] = false;
+ }
}
// if a function was specified, automatic subtotals never match
--
To view, visit https://gerrit.libreoffice.org/3340
To unsubscribe, visit https://gerrit.libreoffice.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3782b5e39f18bc65ffe510b847ffa7969a26cd37
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0
Gerrit-Owner: Eike Rathke <erack@redhat.com>
Context
- [PATCH libreoffice-4-0] prevent vector and sequence out of bounds access, fdo#60300 · Eike Rathke (via Code Review)
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.