sc/source/filter/html/htmlpars.cxx | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
New commits:
commit 1faaae3236ca0ab8a64be9b9216e21c53720eb32
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Sat Mar 23 15:19:04 2024 +0000
Commit: Miklos Vajna <vmik...@collabora.com>
CommitDate: Fri Apr 5 08:57:00 2024 +0200
ofz#67577 Integer-overflow
Change-Id: I3828bb76ab7808ac0717b33c231927730216b42b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165216
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
(cherry picked from commit 035f87f7ed8775c30c6f84d7d02bc72a66182c63)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165760
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Miklos Vajna <vmik...@collabora.com>
diff --git a/sc/source/filter/html/htmlpars.cxx
b/sc/source/filter/html/htmlpars.cxx
index cde3c2836c6b..d1fcdf335a82 100644
--- a/sc/source/filter/html/htmlpars.cxx
+++ b/sc/source/filter/html/htmlpars.cxx
@@ -539,8 +539,20 @@ void ScHTMLLayoutParser::SkipLocked( ScEEParseEntry* pE,
bool bJoin )
// Or else this would create a wrong value at ScAddress (chance for an
infinite loop)!
bool bBadCol = false;
bool bAgain;
- ScRange aRange( pE->nCol, pE->nRow, 0,
- pE->nCol + pE->nColOverlap - 1, pE->nRow + pE->nRowOverlap - 1, 0 );
+
+ SCCOL nEndCol(0);
+ SCROW nEndRow(0);
+ bool bFail = o3tl::checked_add<SCCOL>(pE->nCol, pE->nColOverlap - 1,
nEndCol) ||
+ o3tl::checked_add<SCROW>(pE->nRow, pE->nRowOverlap - 1,
nEndRow);
+
+ if (bFail)
+ {
+ SAL_WARN("sc", "invalid range: " << pE->nCol << " " << pE->nColOverlap
<<
+ " " << pE->nRow << " " <<
pE->nRowOverlap);
+ return;
+ }
+
+ ScRange aRange(pE->nCol, pE->nRow, 0, nEndCol, nEndRow, 0);
do
{
bAgain = false;
