[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-1' - 14 commits - drawinglayer/source hwpfilter/source include/o3tl sc/source sw/qa sw/source vcl/source writerfilter/source

Thu, 03 Mar 2022 04:41:57 -0800 

 drawinglayer/source/tools/emfphelperdata.cxx             |   31 -
 hwpfilter/source/drawing.h                               |   50 +-
 hwpfilter/source/hcode.cxx                               |    2 
 hwpfilter/source/hwpfile.cxx                             |    9 
 hwpfilter/source/hwpfile.h                               |    2 
 hwpfilter/source/hwpread.cxx                             |   20 
 hwpfilter/source/hwpreader.cxx                           |   15 
 include/o3tl/safeint.hxx                                 |    8 
 sc/source/filter/lotus/op.cxx                            |   11 
 sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf        |  347 +++++++++++++++
 sw/qa/extras/layout/layout.cxx                           |    5 
 sw/source/core/layout/tabfrm.cxx                         |    1 
 vcl/source/fontsubset/sft.cxx                            |    2 
 vcl/source/fontsubset/ttcr.cxx                           |   36 +
 writerfilter/source/dmapper/DomainMapperTableManager.cxx |    2 
 15 files changed, 477 insertions(+), 64 deletions(-)

New commits:
commit 24ee70d29362e15b8bc9d5e4b90afccd7cbe5320
Author:     Caolán McNamara <[email protected]>
AuthorDate: Tue Mar 1 10:18:51 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:07 2022 +0100

    ofz: don't register style if hbox load failed
    
    Change-Id: I4d9d5d76f0c2385871003720e933ed1926f66c70
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130771
    Reviewed-by: Michael Stahl <[email protected]>
    Tested-by: Jenkins
    (cherry picked from commit 3ac009bfec614ece98313c6444b4c1183ff14954)
    (cherry picked from commit 8abce17e43858d85325f05cb46d0b8d717356919)

diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index 906246b2b69c..1ef27f7c243f 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -233,7 +233,6 @@ bool TxtBox::Read(HWPFile & hwpf)
     hwpf.Read2b(&option, 1);
     hwpf.Read2b(&ctrl_ch, 1);
     hwpf.Read2b(style.margin, 12);
-    hwpf.AddFBoxStyle(&style);
     hwpf.Read2b(&box_xs, 1);
     hwpf.Read2b(&box_ys, 1);
     hwpf.Read2b(&cap_xs, 1);
@@ -361,7 +360,10 @@ bool TxtBox::Read(HWPFile & hwpf)
     else
         m_pTable = nullptr;
 
-    return !hwpf.State();
+    bSuccess = !hwpf.State();
+    if (bSuccess)
+        hwpf.AddFBoxStyle(&style);
+    return bSuccess;
 }
 
 // picture(11)
@@ -482,12 +484,14 @@ bool Picture::Read(HWPFile & hwpf)
         style.boxtype = 'G';
     else
         style.boxtype = 'D';
-    hwpf.AddFBoxStyle(&style);
 
 // caption
     hwpf.ReadParaList(caption);
 
-    return !hwpf.State();
+    bool bSuccess = !hwpf.State();
+    if (bSuccess)
+        hwpf.AddFBoxStyle(&style);
+    return bSuccess;
 }
 
 // line(15)
@@ -525,7 +529,6 @@ bool Line::Read(HWPFile & hwpf)
     hwpf.Read2b(&option, 1);
     hwpf.Read2b(&ctrl_ch, 1);
     hwpf.Read2b(style.margin, 12);
-    hwpf.AddFBoxStyle(&style);
     hwpf.Read2b(&box_xs, 1);
     hwpf.Read2b(&box_ys, 1);
     hwpf.Read2b(&cap_xs, 1);
@@ -554,7 +557,10 @@ bool Line::Read(HWPFile & hwpf)
     hwpf.Read2b(&color, 1);
     style.xpos = width;
 
-    return !hwpf.State();
+    bool bSuccess = !hwpf.State();
+    if (bSuccess)
+        hwpf.AddFBoxStyle(&style);
+    return bSuccess;
 }
 
 // hidden(15)
commit db916c9f9dc68b25e01fde68a36156644b23ba1f
Author:     Caolán McNamara <[email protected]>
AuthorDate: Sun Feb 27 21:17:52 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    ofz#44991 keep paragraph's that failed to load until import is complete
    
    to avoid dangling references to them
    
    Change-Id: Ic8710f63a8cf6a6a665348c7c84bf0b43f0e2c83
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130643
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <[email protected]>
    (cherry picked from commit 4836ac408b04225b66246671e29a54cd0d6703cf)

diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h
index b6ed1971672a..7fa700971414 100644
--- a/hwpfilter/source/drawing.h
+++ b/hwpfilter/source/drawing.h
@@ -316,7 +316,7 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, 
unsigned short * link_info)
      return hmem->skipBlock(size - common_size ) != 0;
 }
 
-static std::unique_ptr<HWPDrawingObject> LoadDrawingObject(void)
+static std::unique_ptr<HWPDrawingObject> LoadDrawingObject(HWPFile& hwpf)
 {
     HWPDrawingObject *prev = nullptr;
     std::unique_ptr<HWPDrawingObject> hdo, head;
@@ -355,7 +355,7 @@ static std::unique_ptr<HWPDrawingObject> 
LoadDrawingObject(void)
         }
         if (link_info & HDOFILE_HAS_CHILD)
         {
-            hdo->child = LoadDrawingObject();
+            hdo->child = LoadDrawingObject(hwpf);
             if (hdo->child == nullptr)
             {
                 goto error;
@@ -384,6 +384,11 @@ error:
     {
         hdo->type = HWPDO_RECT;
     }
+    if (hdo->property.pPara)
+    {
+        hwpf.move_to_failed(std::unique_ptr<HWPPara>(hdo->property.pPara));
+        hdo->property.pPara = nullptr;
+    }
     HWPDOFunc(hdo.get(), OBJFUNC_FREE, nullptr, 0);
     hdo.reset();
 
@@ -397,7 +402,7 @@ error:
 }
 
 
-static bool LoadDrawingObjectBlock(Picture * pic)
+static bool LoadDrawingObjectBlock(Picture * pic, HWPFile& hwpf)
 {
     int size;
     if (!hmem->read4b(size))
@@ -423,7 +428,7 @@ static bool LoadDrawingObjectBlock(Picture * pic)
         !hmem->skipBlock(size - HDOFILE_HEADER_SIZE))
         return false;
 
-    pic->picinfo.picdraw.hdo = LoadDrawingObject().release();
+    pic->picinfo.picdraw.hdo = LoadDrawingObject(hwpf).release();
     if (pic->picinfo.picdraw.hdo == nullptr)
         return false;
     return true;
diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx
index 439e54d2465a..8b1df15aa3f6 100644
--- a/hwpfilter/source/hwpfile.cxx
+++ b/hwpfilter/source/hwpfile.cxx
@@ -251,7 +251,7 @@ void HWPFile::ReadParaList(std::vector < HWPPara* > &aplist)
         aplist.push_back(spNode.release());
         spNode.reset( new HWPPara );
     }
-    pfailedlist.push_back(std::move(spNode));
+    move_to_failed(std::move(spNode));
 }
 
 bool HWPFile::ReadParaList(std::vector< std::unique_ptr<HWPPara> > &aplist, 
unsigned char flag)
@@ -285,11 +285,16 @@ bool HWPFile::ReadParaList(std::vector< 
std::unique_ptr<HWPPara> > &aplist, unsi
         aplist.push_back(std::move(spNode));
         spNode.reset( new HWPPara );
     }
-    pfailedlist.push_back(std::move(spNode));
+    move_to_failed(std::move(spNode));
 
     return true;
 }
 
+void HWPFile::move_to_failed(std::unique_ptr<HWPPara> xPara)
+{
+    pfailedlist.push_back(std::move(xPara));
+}
+
 void HWPFile::TagsRead()
 {
     while (true)
diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h
index 3fe580ece7e6..69b5f933b541 100644
--- a/hwpfilter/source/hwpfile.h
+++ b/hwpfilter/source/hwpfile.h
@@ -258,6 +258,8 @@ class DLLEXPORT HWPFile
         }
         void pop_hpara_type() { element_import_stack.pop_back(); }
 
+        void move_to_failed(std::unique_ptr<HWPPara> rPara);
+
     private:
         int compareCharShape(CharShape const *shape);
         int compareParaShape(ParaShape const *shape);
diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index 1ed8001513af..906246b2b69c 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -463,7 +463,7 @@ bool Picture::Read(HWPFile & hwpf)
             HMemIODev* pOldMem = hmem;
             HMemIODev* pNewMem = new HMemIODev(reinterpret_cast<char 
*>(follow.data()), follow_block_size);
             hmem = pNewMem;
-            LoadDrawingObjectBlock(this);
+            LoadDrawingObjectBlock(this, hwpf);
             style.cell = picinfo.picdraw.hdo;
             assert(hmem == pNewMem);
             delete pNewMem;
commit 49c8a7b96f47071c1a961b334e70b2f5c7c7b288
Author:     Noel Grandin <[email protected]>
AuthorDate: Tue Oct 23 09:27:51 2018 +0200
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    loplugin:useuniqueptr in LoadDrawingObject
    
    Change-Id: I6d6204128f40a87bc05987fa1ce724cf1d95aac1
    Reviewed-on: https://gerrit.libreoffice.org/62220
    Tested-by: Jenkins
    Reviewed-by: Noel Grandin <[email protected]>
    (cherry picked from commit 55f0b65b0568b8a8b1d823578eea1cbf633f4134)

diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h
index c720c3b947ff..b6ed1971672a 100644
--- a/hwpfilter/source/drawing.h
+++ b/hwpfilter/source/drawing.h
@@ -316,17 +316,17 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, 
unsigned short * link_info)
      return hmem->skipBlock(size - common_size ) != 0;
 }
 
-static HWPDrawingObject *LoadDrawingObject(void)
+static std::unique_ptr<HWPDrawingObject> LoadDrawingObject(void)
 {
-    HWPDrawingObject *hdo, *head, *prev;
+    HWPDrawingObject *prev = nullptr;
+    std::unique_ptr<HWPDrawingObject> hdo, head;
 
     unsigned short link_info;
 
-    head = prev = nullptr;
     do
     {
-        hdo = new HWPDrawingObject;
-        if (!LoadCommonHeader(hdo, &link_info))
+        hdo.reset(new HWPDrawingObject);
+        if (!LoadCommonHeader(hdo.get(), &link_info))
         {
             goto error;
         }
@@ -340,7 +340,7 @@ static HWPDrawingObject *LoadDrawingObject(void)
         }
         else
         {
-            switch (int res = HWPDOFunc(hdo, OBJFUNC_LOAD, nullptr, 0))
+            switch (int res = HWPDOFunc(hdo.get(), OBJFUNC_LOAD, nullptr, 0))
             {
                 case OBJRET_FILE_ERROR:
                     goto error;
@@ -355,22 +355,28 @@ static HWPDrawingObject *LoadDrawingObject(void)
         }
         if (link_info & HDOFILE_HAS_CHILD)
         {
-            hdo->child.reset( LoadDrawingObject() );
+            hdo->child = LoadDrawingObject();
             if (hdo->child == nullptr)
             {
                 goto error;
             }
         }
         if (prev == nullptr)
-            head = hdo;
+        {
+            prev = hdo.get();
+            head = std::move(hdo);
+        }
         else
-            prev->next.reset( hdo );
-        prev = hdo;
+        {
+            prev = hdo.get();
+            prev->next = std::move( hdo );
+        }
     }
     while (link_info & HDOFILE_HAS_NEXT);
 
     return head;
-    error:
+
+error:
 // drawing object can be list.
 // hdo = current item, head = list;
 
@@ -378,8 +384,8 @@ static HWPDrawingObject *LoadDrawingObject(void)
     {
         hdo->type = HWPDO_RECT;
     }
-    HWPDOFunc(hdo, OBJFUNC_FREE, nullptr, 0);
-    delete hdo;
+    HWPDOFunc(hdo.get(), OBJFUNC_FREE, nullptr, 0);
+    hdo.reset();
 
     if( prev )
     {
@@ -417,7 +423,7 @@ static bool LoadDrawingObjectBlock(Picture * pic)
         !hmem->skipBlock(size - HDOFILE_HEADER_SIZE))
         return false;
 
-    pic->picinfo.picdraw.hdo = LoadDrawingObject();
+    pic->picinfo.picdraw.hdo = LoadDrawingObject().release();
     if (pic->picinfo.picdraw.hdo == nullptr)
         return false;
     return true;
commit 44bdbe696bc3dc733fd95fc6320ceee22e6f20a5
Author:     Mike Kaganski <[email protected]>
AuthorDate: Sun Oct 21 22:08:21 2018 +0200
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    tdf#120703 (PVS): redundant nullptr check
    
    V668 There is no sense in testing the 'hdo' pointer against null, as the
         memory was allocated using the 'new' operator. The exception will be
         generated in the case of memory allocation error.
    
    Change-Id: Ic889dcba4e9d77a6dd27dd1603ed37d39e9fe581
    Reviewed-on: https://gerrit.libreoffice.org/62152
    Tested-by: Jenkins
    Reviewed-by: Mike Kaganski <[email protected]>
    (cherry picked from commit 2f6d20d4ff8a308979f84d823211408363502fac)

diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h
index 806a48748bf7..c720c3b947ff 100644
--- a/hwpfilter/source/drawing.h
+++ b/hwpfilter/source/drawing.h
@@ -374,16 +374,13 @@ static HWPDrawingObject *LoadDrawingObject(void)
 // drawing object can be list.
 // hdo = current item, head = list;
 
-    if (hdo != nullptr)
+    if (hdo->type < 0 || hdo->type >= HWPDO_NITEMS)
     {
-        if (hdo->type < 0 || hdo->type >= HWPDO_NITEMS)
-        {
-            hdo->type = HWPDO_RECT;
-        }
-
-        HWPDOFunc(hdo, OBJFUNC_FREE, nullptr, 0);
-        delete hdo;
+        hdo->type = HWPDO_RECT;
     }
+    HWPDOFunc(hdo, OBJFUNC_FREE, nullptr, 0);
+    delete hdo;
+
     if( prev )
     {
         prev->next = nullptr;
commit f02a24ef1922d7c90d427ae3ac6babb36f26b059
Author:     Caolán McNamara <[email protected]>
AuthorDate: Tue Mar 1 09:35:34 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    ofz: glyph data must be at least 10 bytes long to be useful
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130767
    Reviewed-by: Michael Stahl <[email protected]>
    Tested-by: Jenkins
    (cherry picked from commit b228045cf3fb50128fd40a8f26376443ad22f874)
    
    Change-Id: I312c33c598013feced15c6f2dbcc66e493b703e6

diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index 4af9c1b7cce1..0c0c639aacda 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -1269,7 +1269,7 @@ static void ProcessTables(TrueTypeCreator *tt)
 
         /* printf("IDs: %d %d.\n", gd->glyphID, gd->newID); */
 
-        if (gd->nbytes != 0) {
+        if (gd->nbytes >= 10) {
             z = GetInt16(gd->ptr, 2);
             if (z < xMin) xMin = z;
 
commit ec8dda5969a7f6f65c1f09598c7dcfc4d7e6913b
Author:     Caolán McNamara <[email protected]>
AuthorDate: Tue Mar 1 11:45:23 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    protect frame from triggering deleting itself
    
    LIBREOFFICE-N4LA0OHZ
    
    Change-Id: I0d24277665a317f047b286fe0f0878b3814ded65
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130766
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <[email protected]>
    (cherry picked from commit ee2a192923bf709d05c174848e7054cd411b205a)
    (cherry picked from commit 3d3c6462eeef581af2b936071c3ef432858b04a5)

diff --git a/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf 
b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
new file mode 100755
index 000000000000..47d284aa5753
--- /dev/null
+++ b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
@@ -0,0 +1,347 @@
+{\rtf1\ansi\ansicpg1252\deff0
+{\fontttbl
+\f0\froman\fcharset0 Times;
+\f1\fswiss\fcharset0 Helvetica;
+\f2\fmodern\fcharset0 Courier;
+\f3\ftech\fcharset2 S�mbol;
+}
+{]colortbl
+;
+\red127\green255\blue212;
+\red0\green0\blue0;
+\red0\green0\blue255;
+\red25\green0\blue255;
+\red190\green190\blue190;
+\red0\green255\blue0;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red176\green48\blue96;
+\red0\green0\blue128;
+\red85\green107\blue47;
+\red160\green32\blue240;
+\red255\green0\blue0;
+\red192\green-1733928082104\blue192;
+\red0\green128\blue128;
+\red255\green255\blue255;
+\red255\green255\blue0;
+}
+{\info
+{\*\userprops
+{\propname creator}\proptype30
+{\staticval XMLmind FO Converter}
+}
+}
+\facingp\masgmirror\fet0\ftnbj
+\sectd
+\pghsxn15840\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440J\margmirsxn
+\headery720
+\footery720
+\titlepg
+\pgnrestart\pgnstarts1|pgndec
+{\headerr
+\trowd\trleft0
+clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf18446744073709551614\cellx279
+\pard\intbl
+\cell
+\tard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerl
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\�ellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerf
+}
+{\footerr
+\trowd\trleft0
+\clvertalb
+\clbrdrT\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10Lbrdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdvs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{footerl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brd2cf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\row
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+}
+{\*\bkmkstart id2754642}
+{\*\bkmkend i`2754642}
+\pard\qect
+\sectd
+\pghsxn1\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440
+\margmirsxn
+\headery720\footery720
+\titlepg
+\pgncont\pgnlcrm
+{\headerr
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+^clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerl
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerf
+\trkwd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\b�drcf8\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerr
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\cdrertal�VQbdqomA
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf3\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20|cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\*\bkmkstart toc_2e__2e__2e_id2754642}
+\pard\sb518\qj
+{\plain\f000000000000000000000000000000000000000000000000000000128\fs35\b\cf2
+Table of %nntentsmpUMjkI
+}
+\par
+{\*\bkmkend toc_2e__2e__2e_id2754642}
+\pard\sb291\li960\ri480\tldot\tx4920
+{\field{\*|fldinst HYPERLINK \\l id2884528}{\fldrslt
+{\plai~\f0\fs20cf2
+1. 
+}
+}}
+{\plain\f0\fs20\cf2
+ 
+}
+{\plain\f0\fs20\cf2
+\tab
+}
+{\plain\f0\fs20\cf2
+ 
+}
+{\field{\*\fldinst HYPERLINK \\n id2884528}{\fldrslt
+{\plain\f0\fs20\cf2
+{\field{\*\fldinst PAGEREF id2884528}{\fldrslt 0}}
+}
+}}
+\par
+\pard\sect
+\sectd
+\pghsxn15840\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440
+\margmirsxn
+\headery720
+\footery720
+\titlepg
+\pgnrestart\pgnstarts1\pgndec
+{\headerr
+\trowd\trleft0
+\clvertalt
+\clbrdrb�brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\rou
+}
+{\footarl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+mkend toc_2e__2e__2e_id2754642}
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain\f0\fs20\cf2
+\chpgn
+}
+Xcell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+\󠁰par}
+\󠁰par}
+\row
+kbkmkend id2884--1888⁦84712918700}
+\󠁰par}
\ No newline at end of file
diff --git a/sw/qa/extras/layout/layout.cxx b/sw/qa/extras/layout/layout.cxx
index cb2e3e705ad7..ff7c509cc1ca 100644
--- a/sw/qa/extras/layout/layout.cxx
+++ b/sw/qa/extras/layout/layout.cxx
@@ -32,6 +32,7 @@ public:
     void testTdf109077();
     void testTdf109137();
     void testForcepoint76();
+    void testN4LA0OHZ();
     void testTdf118058();
     void testTdf117188();
     void testTdf119875();
@@ -51,6 +52,7 @@ public:
     CPPUNIT_TEST(testTdf109077);
     CPPUNIT_TEST(testTdf109137);
     CPPUNIT_TEST(testForcepoint76);
+    CPPUNIT_TEST(testN4LA0OHZ);
     CPPUNIT_TEST(testTdf118058);
     CPPUNIT_TEST(testTdf117188);
     CPPUNIT_TEST(testTdf119875);
@@ -249,6 +251,9 @@ void SwLayoutWriter::testTdf109137()
 //just care it doesn't crash/assert
 void SwLayoutWriter::testForcepoint76() { createDoc("forcepoint76-1.rtf"); }
 
+//just care it doesn't crash/assert
+void SwLayoutWriter::testN4LA0OHZ() { createDoc("LIBREOFFICE-N4LA0OHZ.rtf"); }
+
 void SwLayoutWriter::testTdf118058()
 {
     SwDoc* pDoc = createDoc("tdf118058.fodt");
diff --git a/sw/source/core/layout/tabfrm.cxx b/sw/source/core/layout/tabfrm.cxx
index ff891826b58d..c4f7838e2a30 100644
--- a/sw/source/core/layout/tabfrm.cxx
+++ b/sw/source/core/layout/tabfrm.cxx
@@ -2029,6 +2029,7 @@ void SwTabFrame::MakeAll(vcl::RenderContext* 
pRenderContext)
             }
             SwFootnoteBossFrame *pOldBoss = bFootnotesInDoc ? 
FindFootnoteBossFrame( true ) : nullptr;
             bool bReformat;
+            SwFrameDeleteGuard g(this);
             if ( MoveBwd( bReformat ) )
             {
                 aRectFnSet.Refresh(this);
commit e765bc72adac566544dabf920ea2333d67988144
Author:     Caolán McNamara <[email protected]>
AuthorDate: Fri Feb 25 12:33:13 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    lastPoint might be 0xFFFF
    
    LIBREOFFICE-KYYAZMB9
    
    Change-Id: Ic0d95bd39a01dc1e5e0fec83dcc2c40b3f23b747
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130462
    Tested-by: Jenkins
    Reviewed-by: Xisco Fauli <[email protected]>
    (cherry picked from commit 21ea1eacd214dbaac8d0ce7f437580d535871415)

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index bcb1ba251132..1e50634cb645 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -411,7 +411,7 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf, 
sal_uInt32 glyphID, Contr
     const sal_uInt8* p = ptr + nOffset;
 
     const sal_uInt32 nBytesRemaining = nTableSize - nOffset;
-    const sal_uInt16 palen = lastPoint+1;
+    const sal_uInt32 palen = lastPoint+1;
 
     //at a minimum its one byte per entry
     if (palen > nBytesRemaining || lastPoint > nBytesRemaining-1)
commit dcca21ab8e4e0159877c065893fd38648fb060dc
Author:     Caolán McNamara <[email protected]>
AuthorDate: Tue Mar 1 10:39:34 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    fail more gracefully if m_aTmpPosition is empty
    
    LIBREOFFICE-N4LA0OHZ
    
    Change-Id: I7f863151f753ad5605c4f1f280cfd79aa4c6bce4
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130772
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <[email protected]>
    (cherry picked from commit 02837024ea8d3d52c92420858327b309f2e96487)

diff --git a/writerfilter/source/dmapper/DomainMapperTableManager.cxx 
b/writerfilter/source/dmapper/DomainMapperTableManager.cxx
index dffcfa7b461f..66791f3d257e 100644
--- a/writerfilter/source/dmapper/DomainMapperTableManager.cxx
+++ b/writerfilter/source/dmapper/DomainMapperTableManager.cxx
@@ -520,6 +520,8 @@ void DomainMapperTableManager::endOfRowAction()
     // Compare the table position with the previous ones. We may need to split
     // into two tables if those are different. We surely don't want to do 
anything
     // if we don't have any row yet.
+    if (m_aTmpPosition.empty())
+        throw std::out_of_range("row without a position");
     TablePositionHandlerPtr pTmpPosition = m_aTmpPosition.back();
     TablePropertyMapPtr pTablePropMap = m_aTmpTableProperties.back( );
     TablePositionHandlerPtr pCurrentPosition = m_aTablePositions.back();
commit 3184033f3748c5f4481d1fe709a581d717f6f7aa
Author:     Caolán McNamara <[email protected]>
AuthorDate: Sat Feb 26 19:52:29 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    ofz#44991 don't skip over terminator
    
    Change-Id: Ibc942705a788db60c104d00916a45d595596285e
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130560
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <[email protected]>
    (cherry picked from commit 4ac060fce70a4b116207d061efbb6185e6162d04)

diff --git a/hwpfilter/source/hcode.cxx b/hwpfilter/source/hcode.cxx
index 7dd7408ffe56..d650b2cb2013 100644
--- a/hwpfilter/source/hcode.cxx
+++ b/hwpfilter/source/hcode.cxx
@@ -1223,6 +1223,8 @@ hchar_string kstr2hstr(unsigned char const* src)
         {
             ret.push_back(src[i] << 8 | src[i+1]);
             i++;
+            if (src[i] == '\0')
+                break;
         }
     }
     return ret;
commit 93557b0f2eebc5b9bd180f486b67b33609145cbd
Author:     Caolán McNamara <[email protected]>
AuthorDate: Sun Feb 27 12:05:38 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    ofz#45081 check font length
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130635
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <[email protected]>
    (cherry picked from commit 568753f4d867c4681b762b63f9b1254f56865da4)
    
    Change-Id: Ib8cea70652ae90403db3546c07d24a517b1ec93e

diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index fd6703e5a0b7..4af9c1b7cce1 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -25,6 +25,7 @@
 
 #include "ttcr.hxx"
 #include "list.h"
+#include <sal/log.hxx>
 #include <string.h>
 
 namespace vcl
@@ -1306,14 +1307,21 @@ static void ProcessTables(TrueTypeCreator *tt)
     do {
         GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist));
 
-        if (gd->compflag) {                       /* re-number all components 
*/
+        if (gd->compflag && gd->nbytes > 10) {    /* re-number all components 
*/
             sal_uInt16 flags, index;
             sal_uInt8 *ptr = gd->ptr + 10;
+            size_t nRemaining = gd->nbytes - 10;
             do {
-                sal_uInt32 j;
+                if (nRemaining < 4)
+                {
+                    SAL_WARN("vcl.fonts", "truncated font");
+                    break;
+                }
                 flags = GetUInt16(ptr, 0);
                 index = GetUInt16(ptr, 2);
+
                 /* XXX use the sorted array of old to new glyphID mapping and 
do a binary search */
+                sal_uInt32 j;
                 for (j = 0; j < nGlyphs; j++) {
                     if (gid[j] == index) {
                         break;
@@ -1324,20 +1332,32 @@ static void ProcessTables(TrueTypeCreator *tt)
                 PutUInt16(static_cast<sal_uInt16>(j), ptr, 2);
 
                 ptr += 4;
+                nRemaining -= 4;
 
+                sal_uInt32 nAdvance = 0;
                 if (flags & ARG_1_AND_2_ARE_WORDS) {
-                    ptr += 4;
+                    nAdvance += 4;
                 } else {
-                    ptr += 2;
+                    nAdvance += 2;
                 }
 
                 if (flags & WE_HAVE_A_SCALE) {
-                    ptr += 2;
+                    nAdvance += 2;
                 } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
-                    ptr += 4;
+                    nAdvance += 4;
                 } else if (flags & WE_HAVE_A_TWO_BY_TWO) {
-                    ptr += 8;
+                    nAdvance += 8;
                 }
+
+                if (nRemaining < nAdvance)
+                {
+                    SAL_WARN("vcl.fonts", "truncated font");
+                    break;
+                }
+
+                ptr += nAdvance;
+                nRemaining -= nAdvance;
+
             } while (flags & MORE_COMPONENTS);
         }
 
commit 3c4ede12f8a38aadd10aeed5a2bea26d7f513126
Author:     Caolán McNamara <[email protected]>
AuthorDate: Mon Feb 28 09:45:55 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    check if cast is to the right type
    
    LIBREOFFICE-311XVJ95
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130670
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <[email protected]>
    (cherry picked from commit b44bd9ef8e2efdb66558917200e1f179b9db1c58)
    
    Change-Id: I159f516daafad3e4088677fe2c8c6f5423b3e264

diff --git a/drawinglayer/source/tools/emfphelperdata.cxx 
b/drawinglayer/source/tools/emfphelperdata.cxx
index b729c5a6611f..94778b1cbfe6 100644
--- a/drawinglayer/source/tools/emfphelperdata.cxx
+++ b/drawinglayer/source/tools/emfphelperdata.cxx
@@ -349,7 +349,7 @@ namespace emfplushelper
         }
         else // we use a pen
         {
-            const EMFPPen* pen = 
static_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get());
+            const EMFPPen* pen = 
dynamic_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get());
             if (pen)
             {
                 color = pen->GetColor();
@@ -534,7 +534,7 @@ namespace emfplushelper
         }
         else // use Brush
         {
-            EMFPBrush* brush = static_cast<EMFPBrush*>( 
maEMFPObjects[brushIndexOrColor & 0xff].get() );
+            EMFPBrush* brush = dynamic_cast<EMFPBrush*>( 
maEMFPObjects[brushIndexOrColor & 0xff].get() );
             SAL_INFO("drawinglayer", "EMF+\t Fill polygon, brush slot: " << 
brushIndexOrColor << " (brush type: " << (brush ? brush->GetType() : -1) << 
")");
 
             // give up in case something wrong happened
@@ -1032,7 +1032,11 @@ namespace emfplushelper
                         rMS.ReadUInt32(brushIndexOrColor);
                         SAL_INFO("drawinglayer", "EMF+ FillRegion slot: " << 
index);
 
-                        
EMFPPlusFillPolygon(static_cast<EMFPRegion*>(maEMFPObjects[flags & 
0xff].get())->regionPolyPolygon, flags & 0x8000, brushIndexOrColor);
+                        EMFPRegion* region = 
dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
+                        if (region)
+                            EMFPPlusFillPolygon(region->regionPolyPolygon, 
flags & 0x8000, brushIndexOrColor);
+                        else
+                            SAL_WARN("drawinglayer.emf", 
"EMF+\tEmfPlusRecordTypeFillRegion missing region");
                     }
                     break;
                     case EmfPlusRecordTypeDrawEllipse:
@@ -1209,9 +1213,10 @@ namespace emfplushelper
                         SAL_INFO("drawinglayer", "EMF+\tTODO: use image 
attributes");
 
                         // For DrawImage and DrawImagePoints, source unit of 
measurement type must be 1 pixel
-                        if (sourceUnit == UnitTypePixel && maEMFPObjects[flags 
& 0xff].get())
+                        if (EMFPImage* image = sourceUnit == UnitTypePixel ?
+                                dynamic_cast<EMFPImage*>(maEMFPObjects[flags & 
0xff].get()) :
+                                nullptr)
                         {
-                            EMFPImage& image = *static_cast<EMFPImage 
*>(maEMFPObjects[flags & 0xff].get());
                             float sx, sy, sw, sh;
                             ReadRectangle(rMS, sx, sy, sw, sh);
                             ::tools::Rectangle aSource(Point(sx, sy), Size(sw, 
sh));
@@ -1261,9 +1266,9 @@ namespace emfplushelper
                                 aDstPoint.getX(),
                                 aDstPoint.getY());
 
-                            if (image.type == ImageDataTypeBitmap)
+                            if (image->type == ImageDataTypeBitmap)
                             {
-                                BitmapEx aBmp(image.graphic.GetBitmapEx());
+                                BitmapEx aBmp(image->graphic.GetBitmapEx());
                                 aBmp.Crop(aSource);
                                 Size aSize(aBmp.GetSizePixel());
                                 SAL_INFO("drawinglayer", "EMF+\t bitmap size: 
" << aSize.Width() << "x" << aSize.Height());
@@ -1277,9 +1282,9 @@ namespace emfplushelper
                                     SAL_INFO("drawinglayer", "EMF+\t warning: 
empty bitmap");
                                 }
                             }
-                            else if (image.type == ImageDataTypeMetafile)
+                            else if (image->type == ImageDataTypeMetafile)
                             {
-                                GDIMetaFile 
aGDI(image.graphic.GetGDIMetaFile());
+                                GDIMetaFile 
aGDI(image->graphic.GetGDIMetaFile());
                                 aGDI.Clip(aSource);
                                 mrTargetHolders.Current().append(
                                         
o3tl::make_unique<drawinglayer::primitive2d::MetafilePrimitive2D>(aTransformMatrix,
 aGDI));
@@ -1313,7 +1318,7 @@ namespace emfplushelper
                             // get the stringFormat from the Object table ( 
this is OPTIONAL and may be nullptr )
                             const EMFPStringFormat *stringFormat = 
dynamic_cast<EMFPStringFormat*>(maEMFPObjects[formatId & 0xff].get());
                             // get the font from the flags
-                            const EMFPFont *font = static_cast< EMFPFont* >( 
maEMFPObjects[flags & 0xff].get() );
+                        const EMFPFont *font = 
dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get());
                             if (!font)
                             {
                                 break;
@@ -1676,7 +1681,7 @@ namespace emfplushelper
                         SAL_INFO("drawinglayer", "EMF+ SetClipPath combine 
mode: " << combineMode);
                         SAL_INFO("drawinglayer", "EMF+\tpath in slot: " << 
(flags & 0xff));
 
-                        EMFPPath *path = 
static_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get());
+                        EMFPPath *path = 
dynamic_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get());
                         if (!path)
                         {
                             break;
@@ -1693,7 +1698,7 @@ namespace emfplushelper
                         int combineMode = (flags >> 8) & 0xf;
                         SAL_INFO("drawinglayer", "EMF+ SetClipRegion");
                         SAL_INFO("drawinglayer", "EMF+\tregion in slot: " << 
(flags & 0xff) << " combine mode: " << combineMode);
-                        EMFPRegion *region = 
static_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
+                        EMFPRegion *region = 
dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
                         if (!region)
                         {
                             break;
@@ -1761,7 +1766,7 @@ namespace emfplushelper
                             }
 
                             // get the font from the flags
-                            EMFPFont *font = static_cast< EMFPFont* >( 
maEMFPObjects[flags & 0xff].get() );
+                            EMFPFont *font = 
dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get());
                             if (!font)
                             {
                                 break;
commit b9016fac29b894e48b5d4956da007661f66056d2
Author:     Caolán McNamara <[email protected]>
AuthorDate: Mon Feb 28 09:15:10 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:06 2022 +0100

    ensure null terminator
    
    LIBREOFFICE-WB8DT2Q9
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130668
    Reviewed-by: Michael Stahl <[email protected]>
    Tested-by: Jenkins
    (cherry picked from commit 4b6956ca146f25b746f63c176b377d3c15d204ff)
    
    Change-Id: I98529325bbd3ff475ba84b4991eb17240440df4b

diff --git a/sc/source/filter/lotus/op.cxx b/sc/source/filter/lotus/op.cxx
index 7dec5cfbd0d1..d2510ff5d1ab 100644
--- a/sc/source/filter/lotus/op.cxx
+++ b/sc/source/filter/lotus/op.cxx
@@ -580,14 +580,9 @@ void OP_SheetName123(LotusContext& rContext, SvStream& 
rStream, sal_uInt16 nLeng
     SCTAB nSheetNum = static_cast<SCTAB>(nDummy);
     rContext.pDoc->MakeTable(nSheetNum);
 
-    ::std::vector<sal_Char> sSheetName;
-    sSheetName.reserve(nLength-4);
-    for (sal_uInt16 i = 4; i < nLength; ++i)
-    {
-        sal_Char c;
-        rStream.ReadChar( c );
-        sSheetName.push_back(c);
-    }
+    const size_t nStrLen = nLength - 4;
+    std::vector<sal_Char> sSheetName(nStrLen + 1);
+    sSheetName[rStream.ReadBytes(sSheetName.data(), nStrLen)] = 0;
 
     if (!sSheetName.empty())
     {
commit 053413932fd798819242449602a08120b7936857
Author:     Caolán McNamara <[email protected]>
AuthorDate: Sat Feb 26 20:04:15 2022 +0000
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:05 2022 +0100

    ofz#44991 keep within legal ArrowShape range
    
    Change-Id: I6bf70f27a66ba9b355a3f7ae0c68a696a7284871
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130562
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <[email protected]>
    (cherry picked from commit 7171ec3e400505fbeead152718eebd5cc6c624d7)

diff --git a/hwpfilter/source/hwpreader.cxx b/hwpfilter/source/hwpreader.cxx
index ab400bac045c..6eac2ebb5f94 100644
--- a/hwpfilter/source/hwpreader.cxx
+++ b/hwpfilter/source/hwpreader.cxx
@@ -24,6 +24,7 @@
 #include <math.h>
 
 #include <osl/diagnose.h>
+#include <o3tl/safeint.hxx>
 #include <tools/stream.hxx>
 #include <comphelper/newarray.hxx>
 
@@ -460,7 +461,9 @@ void HwpReader::makeDrawMiscStyle( HWPDrawingObject *hdo )
         if( hdo->type == HWPDO_LINE || hdo->type == HWPDO_ARC || hdo->type == 
HWPDO_FREEFORM ||
             hdo->type == HWPDO_ADVANCED_ARC )
         {
-            if( prop->line_tstyle && !ArrowShape[prop->line_tstyle].bMade  )
+            if( prop->line_tstyle > 0 &&
+                o3tl::make_unsigned(prop->line_tstyle) < std::size(ArrowShape) 
&&
+                !ArrowShape[prop->line_tstyle].bMade  )
             {
                 ArrowShape[prop->line_tstyle].bMade = true;
                 padd("draw:name", sXML_CDATA,
@@ -484,7 +487,9 @@ void HwpReader::makeDrawMiscStyle( HWPDrawingObject *hdo )
                 mxList->clear();
                 rendEl("draw:marker");
             }
-            if( prop->line_hstyle && !ArrowShape[prop->line_hstyle].bMade)
+            if (prop->line_hstyle > 0 &&
+                o3tl::make_unsigned(prop->line_hstyle) < std::size(ArrowShape) 
&&
+                !ArrowShape[prop->line_hstyle].bMade)
             {
                 ArrowShape[prop->line_hstyle].bMade = true;
                 padd("draw:name", sXML_CDATA,
@@ -2041,7 +2046,8 @@ void HwpReader::makeDrawStyle( HWPDrawingObject * hdo, 
FBoxStyle * fstyle)
             hdo->type == HWPDO_FREEFORM || hdo->type == HWPDO_ADVANCED_ARC )
         {
 
-            if( hdo->property.line_tstyle > 0 )
+            if( hdo->property.line_tstyle > 0 &&
+                o3tl::make_unsigned(hdo->property.line_tstyle) < 
std::size(ArrowShape) )
             {
                 padd("draw:marker-start", sXML_CDATA,
                     ascii(ArrowShape[hdo->property.line_tstyle].name) );
@@ -2062,7 +2068,8 @@ void HwpReader::makeDrawStyle( HWPDrawingObject * hdo, 
FBoxStyle * fstyle)
                               Double2Str( WTMM(hdo->property.line_width * 7)) 
+ "mm");
             }
 
-            if( hdo->property.line_hstyle > 0 )
+            if( hdo->property.line_hstyle > 0 &&
+                o3tl::make_unsigned(hdo->property.line_hstyle) < 
std::size(ArrowShape) )
             {
                 padd("draw:marker-end", sXML_CDATA,
                     ascii(ArrowShape[hdo->property.line_hstyle].name) );
commit a4f877d1d42dd8bb2c9fe50d1fbdbbbe15a160b8
Author:     Stephan Bergmann <[email protected]>
AuthorDate: Thu Jan 9 19:43:23 2020 +0100
Commit:     Michael Stahl <[email protected]>
CommitDate: Thu Mar 3 13:38:05 2022 +0100

    Introduce o3tl::make_unsigned to cast from signed to unsigned type
    
    ...without having to spell out a specific type to cast to (and also making 
it
    more obvious what the intend of such a cast is)
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86502
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <[email protected]>
    (cherry picked from commit 6417668b3e12d9659ac5dc4a2f60aa8ad3bca675)
    
    Change-Id: Id9c68b856a4ee52e5a40d15dc9d83e95d1c231cd

diff --git a/include/o3tl/safeint.hxx b/include/o3tl/safeint.hxx
index fa08b6dfc899..b65b93e0a541 100644
--- a/include/o3tl/safeint.hxx
+++ b/include/o3tl/safeint.hxx
@@ -12,6 +12,7 @@
 
 #include <sal/config.h>
 
+#include <cassert>
 #include <limits>
 #include <type_traits>
 
@@ -226,6 +227,13 @@ template<typename T> inline typename 
std::enable_if<std::is_unsigned<T>::value,
 
 #endif
 
+template<typename T> constexpr std::enable_if_t<std::is_signed_v<T>, 
std::make_unsigned_t<T>>
+make_unsigned(T value)
+{
+    assert(value >= 0);
+    return value;
+}
+
 }
 
 #endif

Reply via email to