sw/qa/core/data/ooxml/pass/fdo78906.docx |binary vcl/generic/glyphs/scrptrun.cxx | 9 ++++++++- 2 files changed, 8 insertions(+), 1 deletion(-)
New commits: commit 14ce4b337232f8fb21cc67e7a2844a7de81dfc4c Author: Umesh Kadam <umesh.ka...@synerzip.com> Date: Thu May 29 12:59:13 2014 +0530 fdo#78906 : File crashes while opening. Handled a memory corruption. Change-Id: I195d17bcd0a9a86bcc96cc7ad14f1d5f2908cf8c Reviewed-on: https://gerrit.libreoffice.org/9545 Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/sw/qa/core/data/ooxml/pass/fdo78906.docx b/sw/qa/core/data/ooxml/pass/fdo78906.docx new file mode 100644 index 0000000..1a6c6ea Binary files /dev/null and b/sw/qa/core/data/ooxml/pass/fdo78906.docx differ diff --git a/vcl/generic/glyphs/scrptrun.cxx b/vcl/generic/glyphs/scrptrun.cxx index 9e8eef0..f72d296 100644 --- a/vcl/generic/glyphs/scrptrun.cxx +++ b/vcl/generic/glyphs/scrptrun.cxx @@ -207,7 +207,14 @@ UBool ScriptRun::next() // pop it from the stack if (pairIndex >= 0 && (pairIndex & 1) != 0 && parenSP >= 0) { parenSP -= 1; - startSP -= 1; + /* decrement startSP only if it is >= 0, + decrementing it unnecessarily will lead to memory corruption + while processing the above while block. + e.g. startSP = -4 , parenSP = -1 + */ + if (startSP >= 0) { + startSP -= 1; + } } } else { // if the run broke on a surrogate pair,
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits