sw/source/filter/ww8/ww8scan.cxx | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
New commits: commit 42878f5459ac405f1938d3174e1aef1a2228c8fa Author: Caolán McNamara <caol...@redhat.com> Date: Mon Jan 22 09:04:05 2018 +0000 ofz#5561 Integer-overflow Change-Id: I57660848190efff8e6354670eb68b60ed57f0094 Reviewed-on: https://gerrit.libreoffice.org/48308 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 57a94783e239..dd8d2479233a 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -1464,7 +1464,17 @@ WW8_CP WW8ScannerBase::WW8Fc2Cp( WW8_FC nFcPos ) const { bIsUnicode = m_pWw8Fib->m_fExtChar; } - sal_Int32 nLen = (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1); + + sal_Int32 nLen = nCpEnd - nCpStart; + if (bIsUnicode) + { + bool bFail = o3tl::checked_multiply<WW8_CP>(nLen, 2, nLen); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + return WW8_CP_MAX; + } + } /* If this cp is inside this piece, or it's the last piece and we are _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits