cui/source/tabpages/numfmt.cxx | 18 ++++++++++--- svl/source/numbers/zformat.cxx | 56 +++++++++++++++++++++++------------------ 2 files changed, 47 insertions(+), 27 deletions(-)
New commits: commit f3e7a49e2c7ea235b724c157f8d05a23c675913a Author: Eike Rathke <er...@redhat.com> Date: Mon Aug 18 14:09:20 2014 +0200 prevent out-of-bounds string access ... while entering a * star symbol format code and there's no fill character following the * yet, for example "xxx"* (cherry picked from commit 839cc63e7d1b78c56e04bafb46037e898ce2c455) more out-of-bounds string accesses (cherry picked from commit 349c93e0f5c9f231b2ff6854fcb795ca5881ca2d) Change-Id: I006f125ceefccba6a95ea033fd434d98e5d4f1c2 Reviewed-on: https://gerrit.libreoffice.org/10994 Reviewed-by: David Tardon <dtar...@redhat.com> Tested-by: David Tardon <dtar...@redhat.com> diff --git a/cui/source/tabpages/numfmt.cxx b/cui/source/tabpages/numfmt.cxx index 52d2356..d4af55c 100644 --- a/cui/source/tabpages/numfmt.cxx +++ b/cui/source/tabpages/numfmt.cxx @@ -112,9 +112,21 @@ void SvxNumberPreview::NotifyChange( const OUString& rPrevStr, mnPos = aPrevStr.indexOf( 0x1B ); if ( mnPos != -1 ) { - mnChar = aPrevStr[ mnPos + 1 ]; - // delete placeholder and char to repeat - aPrevStr = aPrevStr.replaceAt( mnPos, 2, "" ); + // Right during user input the star symbol is the very + // last character before the user enters another one. + if (mnPos < aPrevStr.getLength() - 1) + { + mnChar = aPrevStr[ mnPos + 1 ]; + // delete placeholder and char to repeat + aPrevStr = aPrevStr.replaceAt( mnPos, 2, "" ); + } + else + { + // delete placeholder + aPrevStr = aPrevStr.replaceAt( mnPos, 1, "" ); + // do not attempt to draw a 0 fill character + mnPos = -1; + } } svtools::ColorConfig aColorConfig; Color aWindowTextColor( aColorConfig.GetColorValue( svtools::FONTCOLOR ).nColor ); diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx index ef94a23..a48c029 100644 --- a/svl/source/numbers/zformat.cxx +++ b/svl/source/numbers/zformat.cxx @@ -2241,6 +2241,30 @@ short SvNumberformat::ImpCheckCondition(double& fNumber, } } +static bool lcl_appendStarFillChar( OUStringBuffer& rBuf, const OUString& rStr ) +{ + // Right during user input the star symbol is the very + // last character before the user enters another one. + if (rStr.getLength() > 1) + { + rBuf.append((sal_Unicode) 0x1B); + rBuf.append(rStr[1]); + return true; + } + return false; +} + +static bool lcl_insertStarFillChar( OUStringBuffer& rBuf, sal_Int32 nPos, const OUString& rStr ) +{ + if (rStr.getLength() > 1) + { + rBuf.insert( nPos, rStr[1]); + rBuf.insert( nPos, (sal_Unicode) 0x1B); + return true; + } + return false; +} + bool SvNumberformat::GetOutputString(const OUString& sString, OUString& OutString, Color** ppColor) @@ -2273,9 +2297,7 @@ bool SvNumberformat::GetOutputString(const OUString& sString, case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sOutBuff.append((sal_Unicode) 0x1B); - sOutBuff.append(rInfo.sStrArray[i][1]); - bRes = true; + bRes = lcl_appendStarFillChar( sOutBuff, rInfo.sStrArray[i]); } break; case NF_SYMBOLTYPE_BLANK: @@ -2588,9 +2610,7 @@ bool SvNumberformat::GetOutputString(double fNumber, case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sBuff.append((sal_Unicode) 0x1B); - sBuff.append(rInfo.sStrArray[i][1]); - bRes = true; + bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]); } break; case NF_SYMBOLTYPE_BLANK: @@ -3214,9 +3234,7 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber, case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sBuff.append((sal_Unicode)0x1B); - sBuff.append(rInfo.sStrArray[i][1]); - bRes = true; + bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]); } break; case NF_SYMBOLTYPE_BLANK: @@ -3712,9 +3730,7 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber, case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sBuff.append((sal_Unicode) 0x1B); - sBuff.append(rInfo.sStrArray[i][1]); - bRes = true; + bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]); } break; case NF_SYMBOLTYPE_BLANK: @@ -4007,9 +4023,7 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber, case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sBuff.append((sal_Unicode) 0x1B); - sBuff.append(rInfo.sStrArray[i][1]); - bRes = true; + bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]); } break; case NF_SYMBOLTYPE_BLANK: @@ -4340,9 +4354,7 @@ bool SvNumberformat::ImpGetNumberOutput(double fNumber, case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sStr.insert(k, rInfo.sStrArray[j][1]); - sStr.insert(k, (sal_Unicode) 0x1B); - bRes = true; + bRes = lcl_insertStarFillChar( sStr, k, rInfo.sStrArray[j]); } break; case NF_SYMBOLTYPE_BLANK: @@ -4475,9 +4487,7 @@ bool SvNumberformat::ImpNumberFillWithThousands( OUStringBuffer& sBuff, // numb case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sBuff.insert(k, rInfo.sStrArray[j][1]); - sBuff.insert(k, (sal_Unicode) 0x1B); - bRes = true; + bRes = lcl_insertStarFillChar( sBuff, k, rInfo.sStrArray[j]); } break; case NF_SYMBOLTYPE_BLANK: @@ -4651,9 +4661,7 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer& sBuff, // number string case NF_SYMBOLTYPE_STAR: if( bStarFlag ) { - sBuff.insert(k, rInfo.sStrArray[j][1]); - sBuff.insert(k, sal_Unicode(0x1B)); - bRes = true; + bRes = lcl_insertStarFillChar( sBuff, k, rInfo.sStrArray[j]); } break; case NF_SYMBOLTYPE_BLANK: _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits