This is an automated email from the ASF dual-hosted git repository.
damjan pushed a commit to branch AOO42X
in repository https://gitbox.apache.org/repos/asf/openoffice.git
The following commit(s) were added to refs/heads/AOO42X by this push:
new 93440cfe8c Fix a bug where an integer underflow causes a comparison to
go wrong when the integer types are 32 bit, instead of the previous 16 bit
which hid the bug, which causes valid elements to not get found like they
should be, leading to NULL pointer access crashes.
93440cfe8c is described below
commit 93440cfe8c5159735f8bce693fbafd7479717510
Author: Damjan Jovanovic <dam...@apache.org>
AuthorDate: Wed Jan 3 07:43:52 2024 +0200
Fix a bug where an integer underflow causes a comparison to go wrong when
the
integer types are 32 bit, instead of the previous 16 bit which hid the bug,
which causes valid elements to not get found like they should be, leading to
NULL pointer access crashes.
Fixes: #128579 - 32-bit editengine regression causes a crash when opening
PPT files
Patch by: me
(cherry picked from commit 294ee1400602b0a60dabfaa12034b85c1df06f8f)
---
main/editeng/source/editeng/editdoc2.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/main/editeng/source/editeng/editdoc2.cxx
b/main/editeng/source/editeng/editdoc2.cxx
index 91f315ef05..c96fbdf64d 100644
--- a/main/editeng/source/editeng/editdoc2.cxx
+++ b/main/editeng/source/editeng/editdoc2.cxx
@@ -330,7 +330,7 @@ static sal_uInt32 FastGetPos( const VoidPtr *pPtrArray,
sal_uInt32 nPtrArrayLen,
if( rLastPos > 16 )
{
sal_uInt32 nEnd;
- if (rLastPos > nPtrArrayLen - 2)
+ if (rLastPos + 2 > nPtrArrayLen)
nEnd = nPtrArrayLen;
else
nEnd = rLastPos + 2;
