sc/source/filter/html/htmlpars.cxx | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-)
New commits: commit 1faaae3236ca0ab8a64be9b9216e21c53720eb32 Author: Caolán McNamara <caolan.mcnam...@collabora.com> AuthorDate: Sat Mar 23 15:19:04 2024 +0000 Commit: Miklos Vajna <vmik...@collabora.com> CommitDate: Fri Apr 5 08:57:00 2024 +0200 ofz#67577 Integer-overflow Change-Id: I3828bb76ab7808ac0717b33c231927730216b42b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165216 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com> (cherry picked from commit 035f87f7ed8775c30c6f84d7d02bc72a66182c63) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165760 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com> Reviewed-by: Miklos Vajna <vmik...@collabora.com> diff --git a/sc/source/filter/html/htmlpars.cxx b/sc/source/filter/html/htmlpars.cxx index cde3c2836c6b..d1fcdf335a82 100644 --- a/sc/source/filter/html/htmlpars.cxx +++ b/sc/source/filter/html/htmlpars.cxx @@ -539,8 +539,20 @@ void ScHTMLLayoutParser::SkipLocked( ScEEParseEntry* pE, bool bJoin ) // Or else this would create a wrong value at ScAddress (chance for an infinite loop)! bool bBadCol = false; bool bAgain; - ScRange aRange( pE->nCol, pE->nRow, 0, - pE->nCol + pE->nColOverlap - 1, pE->nRow + pE->nRowOverlap - 1, 0 ); + + SCCOL nEndCol(0); + SCROW nEndRow(0); + bool bFail = o3tl::checked_add<SCCOL>(pE->nCol, pE->nColOverlap - 1, nEndCol) || + o3tl::checked_add<SCROW>(pE->nRow, pE->nRowOverlap - 1, nEndRow); + + if (bFail) + { + SAL_WARN("sc", "invalid range: " << pE->nCol << " " << pE->nColOverlap << + " " << pE->nRow << " " << pE->nRowOverlap); + return; + } + + ScRange aRange(pE->nCol, pE->nRow, 0, nEndCol, nEndRow, 0); do { bAgain = false;