sc/source/ui/view/output.cxx | 7 +++++++ svx/source/dialog/framelinkarray.cxx | 11 +++++++++++ 2 files changed, 18 insertions(+)
New commits: commit e7f7880cda82dd64488579650cbfef31f063eaaf Author: Andras Timar <[email protected]> AuthorDate: Thu Mar 5 14:04:27 2026 +0100 Commit: Miklos Vajna <[email protected]> CommitDate: Fri Mar 6 09:13:06 2026 +0100 fix crash in CreateB2DPrimitiveRange due to out-of-bounds array access Add bounds validation in CreateB2DPrimitiveRange to bail out when row/column indices exceed the array dimensions. Guard against size_t underflow in DrawFrame when the frame array has fewer than 3 rows or columns. Change-Id: I0f3a7b8c2d1e4f6a9b0c3d5e7f8a1b2c4d6e8f0a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/201030 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/sc/source/ui/view/output.cxx b/sc/source/ui/view/output.cxx index 981dbf1905da..ae49a77a54dc 100644 --- a/sc/source/ui/view/output.cxx +++ b/sc/source/ui/view/output.cxx @@ -1555,6 +1555,13 @@ void ScOutputData::DrawFrame(vcl::RenderContext& rRenderContext) // *** draw the array *** + if (nColCount < 3 || nRowCount < 3) + { + SAL_WARN("sc.ui", "DrawFrame: unexpected array size:" + " nColCount=" << nColCount << " nRowCount=" << nRowCount); + return; + } + size_t nFirstCol = 1; size_t nFirstRow = 1; size_t nLastCol = nColCount - 2; diff --git a/svx/source/dialog/framelinkarray.cxx b/svx/source/dialog/framelinkarray.cxx index e1b420762f3b..e8d00b862196 100644 --- a/svx/source/dialog/framelinkarray.cxx +++ b/svx/source/dialog/framelinkarray.cxx @@ -24,6 +24,7 @@ #include <unordered_set> #include <algorithm> #include <o3tl/hash_combine.hxx> +#include <sal/log.hxx> #include <tools/debug.hxx> #include <tools/gen.hxx> #include <vcl/canvastools.hxx> @@ -1405,6 +1406,16 @@ drawinglayer::primitive2d::Primitive2DContainer Array::CreateB2DPrimitiveRange( DBG_FRAME_CHECK_COLROW( nFirstCol, nFirstRow, "CreateB2DPrimitiveRange" ); DBG_FRAME_CHECK_COLROW( nLastCol, nLastRow, "CreateB2DPrimitiveRange" ); + // Bail out if indices are out of range + if (nFirstCol < 0 || nFirstRow < 0 || nLastCol >= GetColCount() || nLastRow >= GetRowCount()) + { + SAL_WARN("svx.dialog", "CreateB2DPrimitiveRange indices out of range: " + "nFirstCol=" << nFirstCol << " nFirstRow=" << nFirstRow + << " nLastCol=" << nLastCol << " nLastRow=" << nLastRow + << " ColCount=" << GetColCount() << " RowCount=" << GetRowCount()); + return drawinglayer::primitive2d::Primitive2DContainer(); + } + #ifdef OPTICAL_CHECK_CLIPRANGE_FOR_MERGED_CELL std::vector<basegfx::B2DRange> aClipRanges; #endif
