basic/source/comp/codegen.cxx | 6 ++ chart2/source/view/main/GL3DRenderer.cxx | 2 framework/source/uielement/popuptoolbarcontroller.cxx | 3 - framework/source/uielement/toolbarsmenucontroller.cxx | 13 +++-- i18npool/source/search/levdis.cxx | 41 ++---------------- i18npool/source/search/levdis.hxx | 33 ++++++++++++++ sc/source/core/data/formulacell.cxx | 3 - sw/source/core/access/acccontext.cxx | 6 +- sw/source/core/crsr/swcrsr.cxx | 2 sw/source/core/frmedt/tblsel.cxx | 5 +- 10 files changed, 66 insertions(+), 48 deletions(-)
New commits: commit 6f019bea96e93c127ccd695d381647b48d06d710 Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 21:07:39 2014 +0100 coverity#1213254 Out-of-bounds read surely this was the intent Change-Id: I78002adebf78674259e6c63e0e3449882accdb5d diff --git a/chart2/source/view/main/GL3DRenderer.cxx b/chart2/source/view/main/GL3DRenderer.cxx index 686413d..abb41b0 100644 --- a/chart2/source/view/main/GL3DRenderer.cxx +++ b/chart2/source/view/main/GL3DRenderer.cxx @@ -823,7 +823,7 @@ void OpenGL3DRenderer::Set3DSenceInfo(sal_uInt32 nColor, bool twoSidesLighting) void OpenGL3DRenderer::SetLightInfo(bool lightOn, sal_uInt32 nColor, const glm::vec4& direction) { - if (m_LightsInfo.lightNum > MAX_LIGHT_NUM) + if (m_LightsInfo.lightNum >= MAX_LIGHT_NUM) { return; } commit bb7dad11e1701c295f6fe9f768f267d094d11ece Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 21:03:18 2014 +0100 coverity#1213242 Dereference null return value Change-Id: I23ce35dbeadca1eea4c67d7d70acbf5ce3a82ac8 diff --git a/framework/source/uielement/popuptoolbarcontroller.cxx b/framework/source/uielement/popuptoolbarcontroller.cxx index b324557..4f0c75c 100644 --- a/framework/source/uielement/popuptoolbarcontroller.cxx +++ b/framework/source/uielement/popuptoolbarcontroller.cxx @@ -436,7 +436,8 @@ throw ( css::uno::RuntimeException, std::exception ) ( VCLXPopupMenu * ) VCLXMenu::GetImplementation( m_xPopupMenu ); SolarMutexGuard aSolarMutexGuard; - PopupMenu* pVCLPopupMenu = dynamic_cast< PopupMenu * >( pTkPopupMenu->GetMenu() ); + PopupMenu* pVCLPopupMenu = pTkPopupMenu ? + dynamic_cast< PopupMenu * >( pTkPopupMenu->GetMenu() ) : NULL; if ( pVCLPopupMenu ) pMenuAttributes = reinterpret_cast< MenuConfiguration::Attributes* >( pVCLPopupMenu->GetUserValue( pVCLPopupMenu->GetCurItemId() ) ); commit 6903b8480956e50a155b42fa42807fb32452bed4 Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 21:02:03 2014 +0100 coverity#1213244 Dereference null return value Change-Id: I729baf2bec5849a4323550aacb9b789db78e72b3 diff --git a/sc/source/core/data/formulacell.cxx b/sc/source/core/data/formulacell.cxx index 78c847e..ec07bde 100644 --- a/sc/source/core/data/formulacell.cxx +++ b/sc/source/core/data/formulacell.cxx @@ -3754,10 +3754,11 @@ bool ScFormulaCell::InterpretInvariantFormulaGroup() aTmpPos.SetRow(mxGroup->mpTopCell->aPos.Row() + i); ScFormulaCell* pCell = pDocument->GetFormulaCell(aTmpPos); assert( pCell != NULL ); + if (!pCell) + continue; // FIXME: this set of horrors is unclear to me ... certainly // the above GetCell is profoundly nasty & slow ... - // Ensure the cell truly has a result: pCell->aResult = aResult; pCell->ResetDirty(); commit 5c3eaed8acdd9d9677833547b2ab206574ee45b8 Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 20:58:59 2014 +0100 coverity#705490 Dereference null return value Change-Id: Iac4178e7f751cba0b4a135dc9d840234d96ccfa2 diff --git a/sw/source/core/frmedt/tblsel.cxx b/sw/source/core/frmedt/tblsel.cxx index ce5ad30..b4ae800 100644 --- a/sw/source/core/frmedt/tblsel.cxx +++ b/sw/source/core/frmedt/tblsel.cxx @@ -1712,7 +1712,8 @@ static void lcl_FindStartEndCol( const SwLayoutFrm *&rpStart, { pTmpTab = pTmpTab->GetFollow(); rpStart = pTmpTab->FirstCell(); - while ( (rpStart->Frm().*fnRect->fnGetLeft)() < nSX && + while ( rpStart && + (rpStart->Frm().*fnRect->fnGetLeft)() < nSX && (rpStart->Frm().*fnRect->fnGetRight)()< nSX2 ) rpStart = rpStart->GetNextLayoutLeaf(); } @@ -1801,7 +1802,7 @@ void MakeSelUnions( SwSelUnions& rUnions, const SwLayoutFrm *pStart, else if( nsSwTblSearchType::TBLSEARCH_COL == ((~nsSwTblSearchType::TBLSEARCH_PROTECT ) & eSearchType ) ) ::lcl_FindStartEndCol( pStart, pEnd, nsSwTblSearchType::TBLSEARCH_PROTECT & eSearchType ); - if ( !pEnd ) return; // Made code robust. + if ( !pEnd || !pStart ) return; // Made code robust. // retrieve again, as they have been moved pTable = pStart->FindTabFrm(); commit 6093787ceb22456f90cf6585cf24a57c67d019fb Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 20:56:02 2014 +0100 coverity#705484 Dereference null return value Change-Id: I8ba236e64994c6e37e1a782cc911df57cb902f86 diff --git a/sw/source/core/crsr/swcrsr.cxx b/sw/source/core/crsr/swcrsr.cxx index cfd5cb1..3233cd0 100644 --- a/sw/source/core/crsr/swcrsr.cxx +++ b/sw/source/core/crsr/swcrsr.cxx @@ -2218,7 +2218,7 @@ SwCursor* SwTableCursor::MakeBoxSels( SwCursor* pAktCrsr ) if( !( pNd = &pPos->nNode.GetNode())->IsCntntNode() ) pNd = rNds.GoPrevSection( &pPos->nNode, true, false ); - pPos->nContent.Assign( (SwCntntNode*)pNd, ((SwCntntNode*)pNd)->Len() ); + pPos->nContent.Assign((SwCntntNode*)pNd, pNd ? ((SwCntntNode*)pNd)->Len() : 0); } } return pAktCrsr; commit 035d62ef915ac8bd0b93fac45f7cb228ade25c19 Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 20:46:20 2014 +0100 coverity#705482 Dereference null return value Change-Id: Id50d79c2dddc3105821703fb9773128c0cc6f2f3 diff --git a/sw/source/core/access/acccontext.cxx b/sw/source/core/access/acccontext.cxx index e12f4ae..1e84758 100644 --- a/sw/source/core/access/acccontext.cxx +++ b/sw/source/core/access/acccontext.cxx @@ -906,8 +906,10 @@ awt::Point SAL_CALL SwAccessibleContext::getLocationOnScreen() Point aPixPos(aRect.X, aRect.Y); - /* getBoundsImpl already checked that GetWindow returns valid pointer. */ - aPixPos = GetWindow()->OutputToAbsoluteScreenPixel(aPixPos); + Window *pWin = GetWindow(); + CHECK_FOR_WINDOW( XAccessibleComponent, pWin ) + + aPixPos = pWin->OutputToAbsoluteScreenPixel(aPixPos); awt::Point aPoint(aPixPos.getX(), aPixPos.getY()); return aPoint; commit 9f09218d4e9f931e8d2d519872a5fe72f06f529b Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 20:41:00 2014 +0100 coverity#441006 Dereference null return value Change-Id: I6c00db53ce507dacbf6032dbe4d41d806740be62 diff --git a/framework/source/uielement/toolbarsmenucontroller.cxx b/framework/source/uielement/toolbarsmenucontroller.cxx index cca476f..5321064 100644 --- a/framework/source/uielement/toolbarsmenucontroller.cxx +++ b/framework/source/uielement/toolbarsmenucontroller.cxx @@ -445,9 +445,10 @@ void ToolbarsMenuController::fillPopupMenu( Reference< css::awt::XPopupMenu >& r { SolarMutexGuard aGuard; VCLXPopupMenu* pXPopupMenu = (VCLXPopupMenu *)VCLXMenu::GetImplementation( m_xPopupMenu ); - PopupMenu* pVCLPopupMenu = (PopupMenu *)pXPopupMenu->GetMenu(); - - pVCLPopupMenu->SetUserValue( nIndex, sal_uIntPtr( aSortedTbs[i].bContextSensitive ? 1L : 0L )); + PopupMenu* pVCLPopupMenu = pXPopupMenu ? (PopupMenu *)pXPopupMenu->GetMenu() : NULL; + assert(pVCLPopupMenu); + if (pVCLPopupMenu) + pVCLPopupMenu->SetUserValue( nIndex, sal_uIntPtr( aSortedTbs[i].bContextSensitive ? 1L : 0L )); } // use VCL popup menu pointer to set vital information that are not part of the awt implementation commit 0ac3a94c9f7bffe27ec1e07c4cc73cf2425b3898 Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 20:39:53 2014 +0100 coverity#440876 Dereference null return value Change-Id: I7d00c3a3c1a12176e4b1ab74712aabeb2f1cf90e diff --git a/framework/source/uielement/toolbarsmenucontroller.cxx b/framework/source/uielement/toolbarsmenucontroller.cxx index a90b597..cca476f 100644 --- a/framework/source/uielement/toolbarsmenucontroller.cxx +++ b/framework/source/uielement/toolbarsmenucontroller.cxx @@ -556,7 +556,11 @@ void SAL_CALL ToolbarsMenuController::statusChanged( const FeatureStateEvent& Ev { SolarMutexGuard aGuard; VCLXPopupMenu* pXPopupMenu = (VCLXPopupMenu *)VCLXMenu::GetImplementation( xPopupMenu ); - PopupMenu* pVCLPopupMenu = (PopupMenu *)pXPopupMenu->GetMenu(); + PopupMenu* pVCLPopupMenu = pXPopupMenu ? (PopupMenu *)pXPopupMenu->GetMenu() : NULL; + + assert(pVCLPopupMenu); + if (!pVCLPopupMenu) + return; for ( sal_uInt16 i = 0; i < pVCLPopupMenu->GetItemCount(); i++ ) { commit 9831dc20ab35bfe962f35d9033a3812be745a958 Author: Caolán McNamara <caol...@redhat.com> Date: Tue May 13 20:38:21 2014 +0100 coverity#441607 Dereference null return value Change-Id: Ibec5bb74a708786e71f9e9a53be71e9cc50c5b69 diff --git a/basic/source/comp/codegen.cxx b/basic/source/comp/codegen.cxx index 70fdc55..d71c843 100644 --- a/basic/source/comp/codegen.cxx +++ b/basic/source/comp/codegen.cxx @@ -334,9 +334,13 @@ void SbiCodeGen::Save() { nUserData |= PARAM_INFO_WITHBRACKETS; } + SbxParamInfo* pParam = NULL; if( nUserData ) { - SbxParamInfo* pParam = (SbxParamInfo*)pInfo->GetParam( i ); + pParam = (SbxParamInfo*)pInfo->GetParam( i ); + } + if( pParam ) + { pParam->nUserData = nUserData; } } commit 6d1ee0f6fb40cbdac48abde99d4d41b50c4f0fcf Author: Caolán McNamara <caol...@redhat.com> Date: Wed May 14 20:54:43 2014 +0100 coverity#1209074 Same on both sides Change-Id: I2c02ca45ed12ed571a175fb82bc2478eeb02f31f diff --git a/i18npool/source/search/levdis.cxx b/i18npool/source/search/levdis.cxx index 12ba7a1..9af4430 100644 --- a/i18npool/source/search/levdis.cxx +++ b/i18npool/source/search/levdis.cxx @@ -70,35 +70,6 @@ #define LEVDISBIG (nLimit + 1) // Return value if distance > nLimit #define LEVDISDOUBLEBUF 2048 // dadrueber wird nicht mehr gedoppelt -// Balance, aus Geschwindigkeitsgruenden ist dieses keine Funktion -// c == cpPattern[jj] == cString[ii] -// erst wird bis Fundstelle gesucht, wenn dort die Balance gleich ist, wird -// auch nach der Fundstelle verglichen -#define LEVDISBALANCE(jj,ii) \ -{ \ - if ( jj != ii ) \ - { \ - sal_Int32 k; \ - if ( jj > 0 ) \ - for ( k=0; k < jj; k++ ) \ - if ( cpPattern[k] == c ) \ - nBalance++; \ - if ( ii > 0 ) \ - for ( k=0; k < ii; k++ ) \ - if ( cString[k] == c ) \ - nBalance--; \ - if ( !nBalance ) \ - { \ - for ( k=jj+1; k < nPatternLen; k++ ) \ - if ( cpPattern[k] == c ) \ - nBalance++; \ - for ( k=ii+1; k < nStringLen; k++ ) \ - if ( cString[k] == c ) \ - nBalance--; \ - } \ - } \ -} - static sal_Int32 Impl_WLD_StringLen( const sal_Unicode* pStr ) { const sal_Unicode* pTempStr = pStr; @@ -178,8 +149,8 @@ int WLevDistance::WLD( const sal_Unicode* cString, sal_Int32 nStringLen ) } else if ( nReplacePos > 0 && !nP ) { - int nBalance = 0; // gleiche Anzahl c - LEVDISBALANCE( 0, i-1 ); + // gleiche Anzahl c + int nBalance = levdisbalance( 0, i-1, c, cString, nStringLen ); if ( !nBalance ) { // einer wurde ersetzt, der ein Insert war nRepS--; @@ -230,8 +201,8 @@ int WLevDistance::WLD( const sal_Unicode* cString, sal_Int32 nStringLen ) nPij = 0; // p(i,j) if ( nReplacePos < 0 ) { - int nBalance = 0; // same quantity c - LEVDISBALANCE( j, i-1 ); + // same quantity c + int nBalance = levdisbalance( j, i-1, c, cString, nStringLen ); if ( !nBalance ) nReplacePos = 0; // keine Ersetzung mehr } @@ -259,8 +230,8 @@ int WLevDistance::WLD( const sal_Unicode* cString, sal_Int32 nStringLen ) // Replace keins. Buchstabendreher werden hier erfasst // und der ReplaceS zurueckgenommen, wodurch das doppelte // Limit zum Tragen kommt. - int nBalance = 0; // same quantity c - LEVDISBALANCE( j, i-1 ); + // same quantity c + int nBalance = levdisbalance( j, i-1, c, cString, nStringLen ); if ( !nBalance ) { // einer wurde ersetzt, der ein Insert war nRepS--; diff --git a/i18npool/source/search/levdis.hxx b/i18npool/source/search/levdis.hxx index f27e2fc..a9f7407 100644 --- a/i18npool/source/search/levdis.hxx +++ b/i18npool/source/search/levdis.hxx @@ -165,6 +165,39 @@ public: // SetSplit( TRUE ) macht nur mit Werten nach CalcLPQR() Sinn! inline bool IsNormal( sal_Int32 nPos ) const { return( !bpPatIsWild[nPos] ); } + + // Balance, aus Geschwindigkeitsgruenden ist dieses keine Funktion + // c == cpPattern[jj] == cString[ii] + // erst wird bis Fundstelle gesucht, wenn dort die Balance gleich ist, wird + // auch nach der Fundstelle verglichen + int levdisbalance(sal_Int32 jj, sal_Int32 ii, sal_Unicode c, const sal_Unicode* cString, sal_Int32 nStringLen) + { + int nBalance = 0; + + if ( jj != ii ) + { + sal_Int32 k; + if ( jj > 0 ) + for ( k=0; k < jj; k++ ) + if ( cpPattern[k] == c ) + nBalance++; + if ( ii > 0 ) + for ( k=0; k < ii; k++ ) + if ( cString[k] == c ) + nBalance--; + if ( !nBalance ) + { + for ( k=jj+1; k < nPatternLen; k++ ) + if ( cpPattern[k] == c ) + nBalance++; + for ( k=ii+1; k < nStringLen; k++ ) + if ( cString[k] == c ) + nBalance--; + } + } + + return nBalance; + } }; inline int WLevDistance::SetLimit( int nNewLimit )
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits