Hi,
I have submitted a patch for review:
https://gerrit.libreoffice.org/3562
To pull it, you can do:
git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/62/3562/1
fixed a mess of out of bounds string accesses
(cherry picked from commit 5cd4300f7ffc24d6bc0ed5704f37a04852fd322b)
Conflicts:
svl/source/numbers/zformat.cxx
Change-Id: I800840e1b3c0d97a049b3ceba0ec244365dc8e6b
---
M svl/source/numbers/zformat.cxx
1 file changed, 40 insertions(+), 21 deletions(-)
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 1b12669..545d6cc 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -1412,6 +1412,21 @@
return (cToken == ']' || nPos == nLen) ? LocaleType(nNum) : LocaleType();
}
+static bool lcl_matchKeywordAndGetNumber( const OUString & rString, const sal_Int32 nPos,
+ const OUString & rKeyword, sal_Int32 & nNumber )
+{
+ if (0 <= nPos && nPos + rKeyword.getLength() < rString.getLength() &&
rString.matchIgnoreAsciiCase( rKeyword, nPos))
+ {
+ nNumber = rString.copy( nPos + rKeyword.getLength()).toInt32();
+ return true;
+ }
+ else
+ {
+ nNumber = 0;
+ return false;
+ }
+}
+
short SvNumberformat::ImpNextSymbol(OUStringBuffer& rString,
sal_Int32& nPos,
OUString& sSymbol)
@@ -1514,43 +1529,47 @@
{
const OUString aNatNum("NATNUM");
const OUString aDBNum("DBNUM");
- OUString aUpperNatNum( rChrCls().uppercase( rString.toString(), nPos-1,
aNatNum.getLength() ) );
- OUString aUpperDBNum( rChrCls().uppercase( rString.toString(), nPos-1,
aDBNum.getLength() ) );
- sal_Unicode cUpper = aUpperNatNum[0];
- sal_Int32 nNatNumNum = rString.toString().copy( nPos - 1 + aNatNum.getLength()
).toInt32();
- sal_Unicode cDBNum = rString[ nPos - 1 + aDBNum.getLength()];
- if ( aUpperNatNum == aNatNum && 0 <= nNatNumNum && nNatNumNum <= 19 )
+ const OUString aBufStr( rString.toString());
+ sal_Int32 nNatNumNum;
+ sal_Int32 nDBNum;
+ if ( lcl_matchKeywordAndGetNumber( aBufStr, nPos-1, aNatNum, nNatNumNum) &&
+ 0 <= nNatNumNum && nNatNumNum <= 19 )
{
sBuffSymbol.stripStart((sal_Unicode)'[');
- sBuffSymbol.append( rString.toString().copy( --nPos, aNatNum.getLength()+1 ));
+ sBuffSymbol.append( aBufStr.copy( --nPos, aNatNum.getLength()+1 ));
nPos += aNatNum.getLength()+1;
//! SymbolType is negative
eSymbolType = (short) (BRACKET_SYMBOLTYPE_NATNUM0 - nNatNumNum);
eState = SsGetPrefix;
}
- else if ( aUpperDBNum == aDBNum && '1' <= cDBNum && cDBNum <= '9' )
+ else if ( lcl_matchKeywordAndGetNumber( aBufStr, nPos-1, aDBNum, nDBNum) &&
+ '1' <= nDBNum && nDBNum <= '9' )
{
sBuffSymbol.stripStart((sal_Unicode)'[');
sBuffSymbol.append(rString.toString().copy( --nPos, aDBNum.getLength()+1 ));
nPos += aDBNum.getLength()+1;
//! SymbolType is negative
- eSymbolType = sal::static_int_cast< short >( BRACKET_SYMBOLTYPE_DBNUM1 -
(cDBNum - '1'));
+ eSymbolType = sal::static_int_cast< short >( BRACKET_SYMBOLTYPE_DBNUM1 -
(nDBNum - '1'));
eState = SsGetPrefix;
- }
- else if (cUpper == rKeywords[NF_KEY_H][0] || // H
- cUpper == rKeywords[NF_KEY_MI][0] || // M
- cUpper == rKeywords[NF_KEY_S][0] ) // S
- {
- sBuffSymbol.append(cToken);
- eState = SsGetTime;
- cLetter = cToken;
}
else
{
- sBuffSymbol.stripStart((sal_Unicode)'[');
- sBuffSymbol.append(cToken);
- eSymbolType = BRACKET_SYMBOLTYPE_COLOR;
- eState = SsGetPrefix;
+ sal_Unicode cUpper = rChrCls().uppercase( aBufStr, nPos-1, 1)[0];
+ if ( cUpper == rKeywords[NF_KEY_H][0] || // H
+ cUpper == rKeywords[NF_KEY_MI][0] || // M
+ cUpper == rKeywords[NF_KEY_S][0] ) // S
+ {
+ sBuffSymbol.append(cToken);
+ eState = SsGetTime;
+ cLetter = cToken;
+ }
+ else
+ {
+ sBuffSymbol.stripStart((sal_Unicode)'[');
+ sBuffSymbol.append(cToken);
+ eSymbolType = BRACKET_SYMBOLTYPE_COLOR;
+ eState = SsGetPrefix;
+ }
}
}
}
--
To view, visit https://gerrit.libreoffice.org/3562
To unsubscribe, visit https://gerrit.libreoffice.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I800840e1b3c0d97a049b3ceba0ec244365dc8e6b
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0
Gerrit-Owner: Eike Rathke <erack@redhat.com>
Context
- [PATCH libreoffice-4-0] fixed a mess of out of bounds string accesses · Eike Rathke (via Code Review)
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.