drawinglayer/source/tools/emfphelperdata.cxx | 31 -
hwpfilter/source/drawing.h | 13
hwpfilter/source/hcode.cxx | 2
hwpfilter/source/hwpfile.cxx | 9
hwpfilter/source/hwpfile.h | 2
hwpfilter/source/hwpread.cxx | 20
hwpfilter/source/hwpreader.cxx | 15
include/o3tl/safeint.hxx | 8
sc/source/filter/lotus/op.cxx | 11
sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf | 347 +++++++++++++++
sw/qa/extras/layout/layout.cxx | 3
sw/source/core/layout/tabfrm.cxx | 1
vcl/source/fontsubset/sft.cxx | 12
vcl/source/fontsubset/ttcr.cxx | 36 +
writerfilter/source/dmapper/DomainMapperTableManager.cxx | 2
15 files changed, 463 insertions(+), 49 deletions(-)
New commits:
commit 0ac3de55d70629356b412a0aa12a80948f869ec1
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 10:18:51 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
ofz: don't register style if hbox load failed
Change-Id: I4d9d5d76f0c2385871003720e933ed1926f66c70
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130771
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
(cherry picked from commit 3ac009bfec614ece98313c6444b4c1183ff14954)
(cherry picked from commit 8abce17e43858d85325f05cb46d0b8d717356919)
diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index f3a6401260c5..61c427ad836c 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -234,7 +234,6 @@ bool TxtBox::Read(HWPFile & hwpf)
hwpf.Read2b(&option, 1);
hwpf.Read2b(&ctrl_ch, 1);
hwpf.Read2b(style.margin, 12);
- hwpf.AddFBoxStyle(&style);
hwpf.Read2b(&box_xs, 1);
hwpf.Read2b(&box_ys, 1);
hwpf.Read2b(&cap_xs, 1);
@@ -362,7 +361,10 @@ bool TxtBox::Read(HWPFile & hwpf)
else
m_pTable = nullptr;
- return !hwpf.State();
+ bSuccess = !hwpf.State();
+ if (bSuccess)
+ hwpf.AddFBoxStyle(&style);
+ return bSuccess;
}
namespace
@@ -509,12 +511,14 @@ bool Picture::Read(HWPFile & hwpf)
style.boxtype = 'G';
else
style.boxtype = 'D';
- hwpf.AddFBoxStyle(&style);
// caption
hwpf.ReadParaList(caption);
- return !hwpf.State();
+ bool bSuccess = !hwpf.State();
+ if (bSuccess)
+ hwpf.AddFBoxStyle(&style);
+ return bSuccess;
}
// line(15)
@@ -552,7 +556,6 @@ bool Line::Read(HWPFile & hwpf)
hwpf.Read2b(&option, 1);
hwpf.Read2b(&ctrl_ch, 1);
hwpf.Read2b(style.margin, 12);
- hwpf.AddFBoxStyle(&style);
hwpf.Read2b(&box_xs, 1);
hwpf.Read2b(&box_ys, 1);
hwpf.Read2b(&cap_xs, 1);
@@ -581,7 +584,10 @@ bool Line::Read(HWPFile & hwpf)
hwpf.Read2b(&color, 1);
style.xpos = width;
- return !hwpf.State();
+ bool bSuccess = !hwpf.State();
+ if (bSuccess)
+ hwpf.AddFBoxStyle(&style);
+ return bSuccess;
}
// hidden(15)
commit e45299a3e98f3fb973ebcce0cd5aec21ffeca424
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 09:35:34 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
ofz: glyph data must be at least 10 bytes long to be useful
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130767
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
(cherry picked from commit b228045cf3fb50128fd40a8f26376443ad22f874)
Change-Id: I312c33c598013feced15c6f2dbcc66e493b703e6
diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index 44d53ff10a23..e80260160c45 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -1251,7 +1251,7 @@ static void ProcessTables(TrueTypeCreator *tt)
/* printf("IDs: %d %d.\n", gd->glyphID, gd->newID); */
- if (gd->nbytes != 0) {
+ if (gd->nbytes >= 10) {
z = GetInt16(gd->ptr, 2);
if (z < xMin) xMin = z;
commit a90c75a2ecf8c5521aeb1d6ca79b6bb73541ab6e
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 28 21:12:07 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
ofz: measure maximum possible contours
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130774
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 26abdb564dad2011a298fc1253279232cb8b59cf)
Change-Id: Ie039abd835fef06514edde12b99e17360f5481a5
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 2d2157f6f675..8a684e472e0a 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -362,7 +362,13 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf,
sal_uInt32 glyphID, Contr
if( glyphID >= ttf->nglyphs ) /*- glyph is not present in the
font */
return 0;
- const sal_uInt8* ptr = table + ttf->goffsets[glyphID];
+ sal_uInt32 nGlyphOffset = ttf->goffsets[glyphID];
+ if (nGlyphOffset > nTableSize)
+ return 0;
+
+ const sal_uInt8* ptr = table + nGlyphOffset;
+ const sal_uInt32 nMaxGlyphSize = nTableSize - nGlyphOffset;
+
const sal_Int16 numberOfContours = GetInt16(ptr,
GLYF_numberOfContours_offset);
if( numberOfContours <= 0 ) /*- glyph is not simple */
return 0;
@@ -377,7 +383,7 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf,
sal_uInt32 glyphID, Contr
/* determine the last point and be extra safe about it. But probably this
code is not needed */
sal_uInt16 lastPoint=0;
- const sal_Int32 nMaxContours = (nTableSize - 10)/2;
+ const sal_Int32 nMaxContours = (nMaxGlyphSize - 10)/2;
if (numberOfContours > nMaxContours)
return 0;
for (i=0; i<numberOfContours; i++)
commit 6278328a1eab09846aed2b612ebe69d67a51f611
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 11:45:23 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
protect frame from triggering deleting itself
LIBREOFFICE-N4LA0OHZ
Change-Id: I0d24277665a317f047b286fe0f0878b3814ded65
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130766
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit ee2a192923bf709d05c174848e7054cd411b205a)
(cherry picked from commit 3d3c6462eeef581af2b936071c3ef432858b04a5)
diff --git a/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
new file mode 100755
index 000000000000..47d284aa5753
--- /dev/null
+++ b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
@@ -0,0 +1,347 @@
+{\rtf1\ansi\ansicpg1252\deff0
+{\fontttbl
+\f0\froman\fcharset0 Times;
+\f1\fswiss\fcharset0 Helvetica;
+\f2\fmodern\fcharset0 Courier;
+\f3\ftech\fcharset2 S�mbol;
+}
+{]colortbl
+;
+\red127\green255\blue212;
+\red0\green0\blue0;
+\red0\green0\blue255;
+\red2�5\green0\blue255;
+\red190\green190\blue190;
+\red0\green255\blue0;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red176\green48\blue96;
+\red0\green0\blue128;
+\red85\green107\blue47;
+\red160\green32\blue240;
+\red255\green0\blue0;
+\red192\green-1733928082104\blue192;
+\red0\green128\blue128;
+\red255\green255\blue255;
+\red255\green255\blue0;
+}
+{\info
+{\*\userprops
+{\propname creator}\proptype30
+{\staticval XMLmind FO Converter}
+}
+}
+\facingp\masgmirror\fet0\ftnbj
+\sectd
+\pghsxn15840\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440J\margmirsxn
+\headery720
+\footery720
+\titlepg
+\pgnrestart\pgnstarts1|pgndec
+{\headerr
+\trowd\trleft0
+clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf18446744073709551614\cellx279
+\pard\intbl
+\cell
+\tard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerl
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\�ellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerf
+}
+{\footerr
+\trowd\trleft0
+\clvertalb
+\clbrdrT\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10Lbrdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdvs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{�footerl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brd2cf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\row
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+}
+{\*\bkmkstart id2754642}
+{\*\bkmkend i`2754642}
+\pard\qect
+\sectd
+\pghsxn1\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440
+\margmirsxn
+\headery720�\footery720
+\titlepg
+\pgncont\pgnlcrm
+{\headerr
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+^clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerl
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerf
+\trkwd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\b�drcf8\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerr
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\cdrertal�VQbdqomA
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf3\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20|cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\*\bkmkstart toc_2e__2e__2e_id2754642}
+\pard\sb518\qj
+{\plain\f000000000000000000000000000000000000000000000000000000128\fs35\b\cf2
+Table of %nntentsmpUMjkI
+}
+\par
+{\*\bkmkend toc_2e__2e__2e_id2754642}
+\pard\sb291\li960\ri480\tldot\tx4920
+{\field{\*|fldinst HYPERLINK \\l id2884528}{\fldrslt
+{\plai~\f0\fs20�cf2
+1.
+}
+}}
+{\plain\f0\fs20\cf2
+
+}
+{\plain\f0\fs20\cf2
+\tab
+}
+{\plain\f0\fs20\cf2
+
+}
+{\field{\*\fldinst HYPERLINK \\n id2884528}{\fldrslt
+{\plain\f0\fs20\cf2
+{\field{\*\fldinst PAGEREF id2884528}{\fldrslt 0}}
+}
+}}
+\par
+\pard\sect
+\sectd
+\pghsxn15840\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440
+\margmirsxn
+\headery720
+\footery720
+\titlepg
+\pgnrestart\pgnstarts1\pgndec
+{\headerr
+\trowd\trleft0
+\clvertalt
+\clbrdrb�brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\rou
+}
+{\footarl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+mkend toc_2e__2e__2e_id2754642}
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain\f0\fs20\cf2
+\chpgn
+}
+Xcell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+\par}
+\par}
+\row
+kbkmkend id2884--188884712918700}
+\par}
\ No newline at end of file
diff --git a/sw/qa/extras/layout/layout.cxx b/sw/qa/extras/layout/layout.cxx
index fd654cb3289d..45c22406abd5 100644
--- a/sw/qa/extras/layout/layout.cxx
+++ b/sw/qa/extras/layout/layout.cxx
@@ -2955,6 +2955,9 @@ CPPUNIT_TEST_FIXTURE(SwLayoutWriter,
testForcepointFootnoteFrame)
//FIXME: disabled after failing again with fixed layout
//CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testForcepoint76) {
createDoc("forcepoint76-1.rtf"); }
+//just care it doesn't crash/assert
+CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testN4LA0OHZ) {
createDoc("LIBREOFFICE-N4LA0OHZ.rtf"); }
+
CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testTdf118058)
{
SwDoc* pDoc = createDoc("tdf118058.fodt");
diff --git a/sw/source/core/layout/tabfrm.cxx b/sw/source/core/layout/tabfrm.cxx
index ddee61fceb1c..ecabf904bffe 100644
--- a/sw/source/core/layout/tabfrm.cxx
+++ b/sw/source/core/layout/tabfrm.cxx
@@ -2071,6 +2071,7 @@ void SwTabFrame::MakeAll(vcl::RenderContext*
pRenderContext)
}
SwFootnoteBossFrame *pOldBoss = bFootnotesInDoc ?
FindFootnoteBossFrame( true ) : nullptr;
bool bReformat;
+ SwFrameDeleteGuard g(this);
if ( MoveBwd( bReformat ) )
{
aRectFnSet.Refresh(this);
commit d6e6b8bb8ac0de581477eb6bfcd1799e76b811f0
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Fri Feb 25 12:33:13 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
lastPoint might be 0xFFFF
LIBREOFFICE-KYYAZMB9
Change-Id: Ic0d95bd39a01dc1e5e0fec83dcc2c40b3f23b747
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130462
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 21ea1eacd214dbaac8d0ce7f437580d535871415)
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index fd6e6f96df10..2d2157f6f675 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -394,7 +394,7 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf,
sal_uInt32 glyphID, Contr
const sal_uInt8* p = ptr + nOffset;
const sal_uInt32 nBytesRemaining = nTableSize - nOffset;
- const sal_uInt16 palen = lastPoint+1;
+ const sal_uInt32 palen = lastPoint+1;
//at a minimum its one byte per entry
if (palen > nBytesRemaining || lastPoint > nBytesRemaining-1)
commit 988686a127f2301528b81723ef9fb38a00686ba6
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 10:39:34 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
fail more gracefully if m_aTmpPosition is empty
LIBREOFFICE-N4LA0OHZ
Change-Id: I7f863151f753ad5605c4f1f280cfd79aa4c6bce4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130772
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 02837024ea8d3d52c92420858327b309f2e96487)
diff --git a/writerfilter/source/dmapper/DomainMapperTableManager.cxx
b/writerfilter/source/dmapper/DomainMapperTableManager.cxx
index 618ca603efe6..968919c1d28e 100644
--- a/writerfilter/source/dmapper/DomainMapperTableManager.cxx
+++ b/writerfilter/source/dmapper/DomainMapperTableManager.cxx
@@ -552,6 +552,8 @@ void DomainMapperTableManager::endOfRowAction()
// Compare the table position with the previous ones. We may need to split
// into two tables if those are different. We surely don't want to do
anything
// if we don't have any row yet.
+ if (m_aTmpPosition.empty())
+ throw std::out_of_range("row without a position");
TablePositionHandlerPtr pTmpPosition = m_aTmpPosition.back();
TablePropertyMapPtr pTablePropMap = m_aTmpTableProperties.back( );
TablePositionHandlerPtr pCurrentPosition = m_aTablePositions.back();
commit 7537b705ae3dfb4c12507cecfd94b41218bca125
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Feb 27 21:17:52 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:47 2022 +0100
ofz#44991 keep paragraph's that failed to load until import is complete
to avoid dangling references to them
Change-Id: Ic8710f63a8cf6a6a665348c7c84bf0b43f0e2c83
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130643
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 4836ac408b04225b66246671e29a54cd0d6703cf)
diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h
index 60bd74f80f80..8d046b0e4a2d 100644
--- a/hwpfilter/source/drawing.h
+++ b/hwpfilter/source/drawing.h
@@ -316,7 +316,7 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo,
unsigned short * link_info)
return hmem->skipBlock(size - common_size ) != 0;
}
-static std::unique_ptr<HWPDrawingObject> LoadDrawingObject(void)
+static std::unique_ptr<HWPDrawingObject> LoadDrawingObject(HWPFile& hwpf)
{
HWPDrawingObject *prev = nullptr;
std::unique_ptr<HWPDrawingObject> hdo, head;
@@ -355,7 +355,7 @@ static std::unique_ptr<HWPDrawingObject>
LoadDrawingObject(void)
}
if (link_info & HDOFILE_HAS_CHILD)
{
- hdo->child = LoadDrawingObject();
+ hdo->child = LoadDrawingObject(hwpf);
if (hdo->child == nullptr)
{
goto error;
@@ -384,6 +384,11 @@ error:
{
hdo->type = HWPDO_RECT;
}
+ if (hdo->property.pPara)
+ {
+ hwpf.move_to_failed(std::unique_ptr<HWPPara>(hdo->property.pPara));
+ hdo->property.pPara = nullptr;
+ }
HWPDOFunc(hdo.get(), OBJFUNC_FREE, nullptr, 0);
hdo.reset();
@@ -397,7 +402,7 @@ error:
}
-static bool LoadDrawingObjectBlock(Picture * pic)
+static bool LoadDrawingObjectBlock(Picture * pic, HWPFile& hwpf)
{
int size;
if (!hmem->read4b(size))
@@ -423,7 +428,7 @@ static bool LoadDrawingObjectBlock(Picture * pic)
!hmem->skipBlock(size - HDOFILE_HEADER_SIZE))
return false;
- pic->picinfo.picdraw.hdo = LoadDrawingObject().release();
+ pic->picinfo.picdraw.hdo = LoadDrawingObject(hwpf).release();
if (pic->picinfo.picdraw.hdo == nullptr)
return false;
return true;
diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx
index eb0e16398252..a1303a8ee256 100644
--- a/hwpfilter/source/hwpfile.cxx
+++ b/hwpfilter/source/hwpfile.cxx
@@ -241,7 +241,7 @@ void HWPFile::ReadParaList(std::vector < HWPPara* > &aplist)
aplist.push_back(spNode.release());
spNode.reset( new HWPPara );
}
- pfailedlist.push_back(std::move(spNode));
+ move_to_failed(std::move(spNode));
}
void HWPFile::ReadParaList(std::vector< std::unique_ptr<HWPPara> > &aplist,
unsigned char flag)
@@ -275,7 +275,12 @@ void HWPFile::ReadParaList(std::vector<
std::unique_ptr<HWPPara> > &aplist, unsi
aplist.push_back(std::move(spNode));
spNode.reset( new HWPPara );
}
- pfailedlist.push_back(std::move(spNode));
+ move_to_failed(std::move(spNode));
+}
+
+void HWPFile::move_to_failed(std::unique_ptr<HWPPara> xPara)
+{
+ pfailedlist.push_back(std::move(xPara));
}
void HWPFile::TagsRead()
diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h
index f776460e346d..e20d6b9c48ca 100644
--- a/hwpfilter/source/hwpfile.h
+++ b/hwpfilter/source/hwpfile.h
@@ -257,6 +257,8 @@ class DLLEXPORT HWPFile
}
void pop_hpara_type() { element_import_stack.pop_back(); }
+ void move_to_failed(std::unique_ptr<HWPPara> rPara);
+
private:
int compareCharShape(CharShape const *shape);
int compareParaShape(ParaShape const *shape);
diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index 12f29a38925e..f3a6401260c5 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -490,7 +490,7 @@ bool Picture::Read(HWPFile & hwpf)
if (pictype == PICTYPE_DRAW)
{
auto xGuard(std::make_unique<ChangeMemGuard>(follow.data(),
follow_block_size));
- LoadDrawingObjectBlock(this);
+ LoadDrawingObjectBlock(this, hwpf);
style.cell = picinfo.picdraw.hdo;
xGuard.reset();
}
commit 7b90f869b28b145dfcbfe2bcbe92c19d86233d85
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sat Feb 26 19:52:29 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:46 2022 +0100
ofz#44991 don't skip over terminator
Change-Id: Ibc942705a788db60c104d00916a45d595596285e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130560
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 4ac060fce70a4b116207d061efbb6185e6162d04)
diff --git a/hwpfilter/source/hcode.cxx b/hwpfilter/source/hcode.cxx
index fda36e0953ca..28bc97212fba 100644
--- a/hwpfilter/source/hcode.cxx
+++ b/hwpfilter/source/hcode.cxx
@@ -1217,6 +1217,8 @@ hchar_string kstr2hstr(uchar const* src)
{
ret.push_back(src[i] << 8 | src[i+1]);
i++;
+ if (src[i] == '\0')
+ break;
}
}
return ret;
commit dfa867fd7f14242c8939fbdf2e775d2783b0bdce
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Feb 27 12:05:38 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:46 2022 +0100
ofz#45081 check font length
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130635
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 568753f4d867c4681b762b63f9b1254f56865da4)
Change-Id: Ib8cea70652ae90403db3546c07d24a517b1ec93e
diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index e78f6d01853b..44d53ff10a23 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -25,6 +25,7 @@
#include "ttcr.hxx"
#include "list.h"
+#include <sal/log.hxx>
#include <string.h>
namespace vcl
@@ -1288,14 +1289,21 @@ static void ProcessTables(TrueTypeCreator *tt)
do {
GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist));
- if (gd->compflag) { /* re-number all components
*/
+ if (gd->compflag && gd->nbytes > 10) { /* re-number all components
*/
sal_uInt16 flags, index;
sal_uInt8 *ptr = gd->ptr + 10;
+ size_t nRemaining = gd->nbytes - 10;
do {
- sal_uInt32 j;
+ if (nRemaining < 4)
+ {
+ SAL_WARN("vcl.fonts", "truncated font");
+ break;
+ }
flags = GetUInt16(ptr, 0);
index = GetUInt16(ptr, 2);
+
/* XXX use the sorted array of old to new glyphID mapping and
do a binary search */
+ sal_uInt32 j;
for (j = 0; j < nGlyphs; j++) {
if (gid[j] == index) {
break;
@@ -1306,20 +1314,32 @@ static void ProcessTables(TrueTypeCreator *tt)
PutUInt16(static_cast<sal_uInt16>(j), ptr, 2);
ptr += 4;
+ nRemaining -= 4;
+ sal_uInt32 nAdvance = 0;
if (flags & ARG_1_AND_2_ARE_WORDS) {
- ptr += 4;
+ nAdvance += 4;
} else {
- ptr += 2;
+ nAdvance += 2;
}
if (flags & WE_HAVE_A_SCALE) {
- ptr += 2;
+ nAdvance += 2;
} else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
- ptr += 4;
+ nAdvance += 4;
} else if (flags & WE_HAVE_A_TWO_BY_TWO) {
- ptr += 8;
+ nAdvance += 8;
}
+
+ if (nRemaining < nAdvance)
+ {
+ SAL_WARN("vcl.fonts", "truncated font");
+ break;
+ }
+
+ ptr += nAdvance;
+ nRemaining -= nAdvance;
+
} while (flags & MORE_COMPONENTS);
}
commit 1e2e9f985f843b26a5def62b87502c4462118d23
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 28 09:45:55 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:46 2022 +0100
check if cast is to the right type
LIBREOFFICE-311XVJ95
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130670
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit b44bd9ef8e2efdb66558917200e1f179b9db1c58)
Change-Id: I159f516daafad3e4088677fe2c8c6f5423b3e264
diff --git a/drawinglayer/source/tools/emfphelperdata.cxx
b/drawinglayer/source/tools/emfphelperdata.cxx
index 69f9e33215a8..9ad9e1a78c26 100644
--- a/drawinglayer/source/tools/emfphelperdata.cxx
+++ b/drawinglayer/source/tools/emfphelperdata.cxx
@@ -346,7 +346,7 @@ namespace emfplushelper
}
else // we use a pen
{
- const EMFPPen* pen =
static_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get());
+ const EMFPPen* pen =
dynamic_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get());
if (pen)
{
color = pen->GetColor();
@@ -620,7 +620,7 @@ namespace emfplushelper
}
else // use Brush
{
- EMFPBrush* brush = static_cast<EMFPBrush*>(
maEMFPObjects[brushIndexOrColor & 0xff].get() );
+ EMFPBrush* brush = dynamic_cast<EMFPBrush*>(
maEMFPObjects[brushIndexOrColor & 0xff].get() );
SAL_INFO("drawinglayer", "EMF+\t Fill polygon, brush slot: " <<
brushIndexOrColor << " (brush type: " << (brush ? brush->GetType() : -1) <<
")");
// give up in case something wrong happened
@@ -1120,7 +1120,11 @@ namespace emfplushelper
rMS.ReadUInt32(brushIndexOrColor);
SAL_INFO("drawinglayer", "EMF+ FillRegion slot: " <<
index);
-
EMFPPlusFillPolygon(static_cast<EMFPRegion*>(maEMFPObjects[flags &
0xff].get())->regionPolyPolygon, flags & 0x8000, brushIndexOrColor);
+ EMFPRegion* region =
dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
+ if (region)
+ EMFPPlusFillPolygon(region->regionPolyPolygon,
flags & 0x8000, brushIndexOrColor);
+ else
+ SAL_WARN("drawinglayer.emf",
"EMF+\tEmfPlusRecordTypeFillRegion missing region");
}
break;
case EmfPlusRecordTypeDrawEllipse:
@@ -1295,9 +1299,10 @@ namespace emfplushelper
SAL_INFO("drawinglayer", "EMF+\tTODO: use image
attributes");
// For DrawImage and DrawImagePoints, source unit of
measurement type must be 1 pixel
- if (sourceUnit == UnitTypePixel && maEMFPObjects[flags
& 0xff].get())
+ if (EMFPImage* image = sourceUnit == UnitTypePixel ?
+ dynamic_cast<EMFPImage*>(maEMFPObjects[flags &
0xff].get()) :
+ nullptr)
{
- EMFPImage& image = *static_cast<EMFPImage
*>(maEMFPObjects[flags & 0xff].get());
float sx, sy, sw, sh;
ReadRectangle(rMS, sx, sy, sw, sh);
::tools::Rectangle aSource(Point(sx, sy), Size(sw,
sh));
@@ -1352,9 +1357,9 @@ namespace emfplushelper
/* Row 1, Column 1 */ aDstSize.getY(),
/* Row 1, Column 2 */
aDstPoint.getY());
- if (image.type == ImageDataTypeBitmap)
+ if (image->type == ImageDataTypeBitmap)
{
- BitmapEx aBmp(image.graphic.GetBitmapEx());
+ BitmapEx aBmp(image->graphic.GetBitmapEx());
aBmp.Crop(aSource);
Size aSize(aBmp.GetSizePixel());
SAL_INFO("drawinglayer", "EMF+\t bitmap size:
" << aSize.Width() << "x" << aSize.Height());
@@ -1369,9 +1374,9 @@ namespace emfplushelper
break;
}
}
- else if (image.type == ImageDataTypeMetafile)
+ else if (image->type == ImageDataTypeMetafile)
{
- GDIMetaFile
aGDI(image.graphic.GetGDIMetaFile());
+ GDIMetaFile
aGDI(image->graphic.GetGDIMetaFile());
aGDI.Clip(aSource);
mrTargetHolders.Current().append(
std::make_unique<drawinglayer::primitive2d::MetafilePrimitive2D>(aTransformMatrix,
aGDI));
@@ -1405,7 +1410,7 @@ namespace emfplushelper
// get the stringFormat from the Object table (
this is OPTIONAL and may be nullptr )
const EMFPStringFormat *stringFormat =
dynamic_cast<EMFPStringFormat*>(maEMFPObjects[formatId & 0xff].get());
// get the font from the flags
- const EMFPFont *font = static_cast< EMFPFont* >(
maEMFPObjects[flags & 0xff].get() );
+ const EMFPFont *font =
dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get());
if (!font)
{
break;
@@ -1770,7 +1775,7 @@ namespace emfplushelper
SAL_INFO("drawinglayer", "EMF+ SetClipPath combine
mode: " << combineMode);
SAL_INFO("drawinglayer", "EMF+\tpath in slot: " <<
(flags & 0xff));
- EMFPPath *path =
static_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get());
+ EMFPPath *path =
dynamic_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get());
if (!path)
{
SAL_WARN("drawinglayer", "EMF+\t TODO Unable to
find path in slot: " << (flags & 0xff));
@@ -1787,7 +1792,7 @@ namespace emfplushelper
int combineMode = (flags >> 8) & 0xf;
SAL_INFO("drawinglayer", "EMF+ SetClipRegion");
SAL_INFO("drawinglayer", "EMF+\tregion in slot: " <<
(flags & 0xff) << " combine mode: " << combineMode);
- EMFPRegion *region =
static_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
+ EMFPRegion *region =
dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
if (!region)
{
SAL_WARN("drawinglayer", "EMF+\t TODO Unable to
find region in slot: " << (flags & 0xff));
@@ -1856,7 +1861,7 @@ namespace emfplushelper
}
// get the font from the flags
- EMFPFont *font = static_cast< EMFPFont* >(
maEMFPObjects[flags & 0xff].get() );
+ EMFPFont *font =
dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get());
if (!font)
{
break;
commit 712cd3ca1868c3ea74bba302ebafdee99dafa85a
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 28 09:15:10 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:46 2022 +0100
ensure null terminator
LIBREOFFICE-WB8DT2Q9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130668
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
(cherry picked from commit 4b6956ca146f25b746f63c176b377d3c15d204ff)
Change-Id: I98529325bbd3ff475ba84b4991eb17240440df4b
diff --git a/sc/source/filter/lotus/op.cxx b/sc/source/filter/lotus/op.cxx
index 02cd9b0e014d..d85cc4456d58 100644
--- a/sc/source/filter/lotus/op.cxx
+++ b/sc/source/filter/lotus/op.cxx
@@ -580,14 +580,9 @@ void OP_SheetName123(LotusContext& rContext, SvStream&
rStream, sal_uInt16 nLeng
sal_uInt16 nSheetNum(0);
rStream.ReadUInt16(nSheetNum);
- ::std::vector<sal_Char> sSheetName;
- sSheetName.reserve(nLength-4);
- for (sal_uInt16 i = 4; i < nLength; ++i)
- {
- sal_Char c;
- rStream.ReadChar( c );
- sSheetName.push_back(c);
- }
+ const size_t nStrLen = nLength - 4;
+ std::vector<sal_Char> sSheetName(nStrLen + 1);
+ sSheetName[rStream.ReadBytes(sSheetName.data(), nStrLen)] = 0;
if (!ValidTab(nSheetNum))
return;
commit 72d561dd1cbc71c88f2f7dd04552a67a3b88d9ae
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sat Feb 26 20:04:15 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:46 2022 +0100
ofz#44991 keep within legal ArrowShape range
Change-Id: I6bf70f27a66ba9b355a3f7ae0c68a696a7284871
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130562
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 7171ec3e400505fbeead152718eebd5cc6c624d7)
diff --git a/hwpfilter/source/hwpreader.cxx b/hwpfilter/source/hwpreader.cxx
index 5dccd3b7b7b2..fa337533b3b3 100644
--- a/hwpfilter/source/hwpreader.cxx
+++ b/hwpfilter/source/hwpreader.cxx
@@ -24,6 +24,7 @@
#include <math.h>
#include <osl/diagnose.h>
+#include <o3tl/safeint.hxx>
#include <tools/stream.hxx>
#include "fontmap.hxx"
@@ -460,7 +461,9 @@ void HwpReader::makeDrawMiscStyle( HWPDrawingObject *hdo )
if( hdo->type == HWPDO_LINE || hdo->type == HWPDO_ARC || hdo->type ==
HWPDO_FREEFORM ||
hdo->type == HWPDO_ADVANCED_ARC )
{
- if( prop->line_tstyle && !ArrowShape[prop->line_tstyle].bMade )
+ if( prop->line_tstyle > 0 &&
+ o3tl::make_unsigned(prop->line_tstyle) < std::size(ArrowShape)
&&
+ !ArrowShape[prop->line_tstyle].bMade )
{
ArrowShape[prop->line_tstyle].bMade = true;
padd("draw:name", sXML_CDATA,
@@ -484,7 +487,9 @@ void HwpReader::makeDrawMiscStyle( HWPDrawingObject *hdo )
mxList->clear();
rendEl("draw:marker");
}
- if( prop->line_hstyle && !ArrowShape[prop->line_hstyle].bMade)
+ if (prop->line_hstyle > 0 &&
+ o3tl::make_unsigned(prop->line_hstyle) < std::size(ArrowShape)
&&
+ !ArrowShape[prop->line_hstyle].bMade)
{
ArrowShape[prop->line_hstyle].bMade = true;
padd("draw:name", sXML_CDATA,
@@ -2041,7 +2046,8 @@ void HwpReader::makeDrawStyle( HWPDrawingObject * hdo,
FBoxStyle * fstyle)
hdo->type == HWPDO_FREEFORM || hdo->type == HWPDO_ADVANCED_ARC )
{
- if( hdo->property.line_tstyle > 0 )
+ if( hdo->property.line_tstyle > 0 &&
+ o3tl::make_unsigned(hdo->property.line_tstyle) <
std::size(ArrowShape) )
{
padd("draw:marker-start", sXML_CDATA,
ascii(ArrowShape[hdo->property.line_tstyle].name) );
@@ -2062,7 +2068,8 @@ void HwpReader::makeDrawStyle( HWPDrawingObject * hdo,
FBoxStyle * fstyle)
Double2Str( WTMM(hdo->property.line_width * 7))
+ "mm");
}
- if( hdo->property.line_hstyle > 0 )
+ if( hdo->property.line_hstyle > 0 &&
+ o3tl::make_unsigned(hdo->property.line_hstyle) <
std::size(ArrowShape) )
{
padd("draw:marker-end", sXML_CDATA,
ascii(ArrowShape[hdo->property.line_hstyle].name) );
commit 8f05eda7f399af33ba58c4eba93b24f789a9596d
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Thu Jan 9 19:43:23 2020 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 3 13:36:46 2022 +0100
Introduce o3tl::make_unsigned to cast from signed to unsigned type
...without having to spell out a specific type to cast to (and also making
it
more obvious what the intend of such a cast is)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86502
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
(cherry picked from commit 6417668b3e12d9659ac5dc4a2f60aa8ad3bca675)
Change-Id: Id9c68b856a4ee52e5a40d15dc9d83e95d1c231cd
diff --git a/include/o3tl/safeint.hxx b/include/o3tl/safeint.hxx
index ae28ca4b6570..6d8d1304fdf3 100644
--- a/include/o3tl/safeint.hxx
+++ b/include/o3tl/safeint.hxx
@@ -12,6 +12,7 @@
#include <sal/config.h>
+#include <cassert>
#include <limits>
#include <type_traits>
@@ -226,6 +227,13 @@ template<typename T> inline typename
std::enable_if<std::is_unsigned<T>::value,
#endif
+template<typename T> constexpr std::enable_if_t<std::is_signed_v<T>,
std::make_unsigned_t<T>>
+make_unsigned(T value)
+{
+ assert(value >= 0);
+ return value;
+}
+
}
#endif
