prevent out-of-bounds string access

... while entering a * star symbol format code and there's no fill character following the * yet, for example "xxx"* (cherry picked from commit 839cc63e7d1b78c56e04bafb46037e898ce2c455) more out-of-bounds string accesses (cherry picked from commit 349c93e0f5c9f231b2ff6854fcb795ca5881ca2d) Change-Id: I006f125ceefccba6a95ea033fd434d98e5d4f1c2 Reviewed-on: https://gerrit.libreoffice.org/10995 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
author: Eike Rathke <erack@redhat.com> 2014-08-18 14:09:20 +0200
committer: Andras Timar <andras.timar@collabora.com> 2014-08-21 21:24:44 +0200
commit: 05798732d758e176a92ac07e7adff2321eb61f46 (patch)
tree: 7bc698fcf25f6a9a13d48b2a9dded6913655691b /svl
parent: 4704a686dcbada391db903fbb487a3fc5d60993e (diff)
1 files changed, 32 insertions, 24 deletions
diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx
index 576da5930d1f..de6dffd88a51 100644
--- a/svl/source/numbers/zformat.cxx
+++ b/svl/source/numbers/zformat.cxx
@@ -2230,6 +2230,30 @@ short SvNumberformat::ImpCheckCondition(double& fNumber,
     }
 }
 
+static bool lcl_appendStarFillChar( OUStringBuffer& rBuf, const OUString& rStr )
+{
+    // Right during user input the star symbol is the very
+    // last character before the user enters another one.
+    if (rStr.getLength() > 1)
+    {
+        rBuf.append((sal_Unicode) 0x1B);
+        rBuf.append(rStr[1]);
+        return true;
+    }
+    return false;
+}
+
+static bool lcl_insertStarFillChar( OUStringBuffer& rBuf, sal_Int32 nPos, const OUString& rStr )
+{
+    if (rStr.getLength() > 1)
+    {
+        rBuf.insert( nPos, rStr[1]);
+        rBuf.insert( nPos, (sal_Unicode) 0x1B);
+        return true;
+    }
+    return false;
+}
+
 bool SvNumberformat::GetOutputString(const OUString& sString,
                                      OUString& OutString,
                                      Color** ppColor)
@@ -2262,9 +2286,7 @@ bool SvNumberformat::GetOutputString(const OUString& sString,
             case NF_SYMBOLTYPE_STAR:
                 if( bStarFlag )
                 {
-                    sOutBuff.append((sal_Unicode) 0x1B);
-                    sOutBuff.append(rInfo.sStrArray[i][1]);
-                    bRes = true;
+                    bRes = lcl_appendStarFillChar( sOutBuff, rInfo.sStrArray[i]);
                 }
                 break;
             case NF_SYMBOLTYPE_BLANK:
@@ -2577,9 +2599,7 @@ bool SvNumberformat::GetOutputString(double fNumber,
                 case NF_SYMBOLTYPE_STAR:
                     if( bStarFlag )
                     {
-                        sBuff.append((sal_Unicode) 0x1B);
-                        sBuff.append(rInfo.sStrArray[i][1]);
-                        bRes = true;
+                        bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
                     }
                     break;
                 case NF_SYMBOLTYPE_BLANK:
@@ -3203,9 +3223,7 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber,
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.append((sal_Unicode)0x1B);
-                sBuff.append(rInfo.sStrArray[i][1]);
-                bRes = true;
+                bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -3701,9 +3719,7 @@ bool SvNumberformat::ImpGetDateOutput(double fNumber,
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.append((sal_Unicode) 0x1B);
-                sBuff.append(rInfo.sStrArray[i][1]);
-                bRes = true;
+                bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -3996,9 +4012,7 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber,
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.append((sal_Unicode) 0x1B);
-                sBuff.append(rInfo.sStrArray[i][1]);
-                bRes = true;
+                bRes = lcl_appendStarFillChar( sBuff, rInfo.sStrArray[i]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -4329,9 +4343,7 @@ bool SvNumberformat::ImpGetNumberOutput(double fNumber,
             case NF_SYMBOLTYPE_STAR:
                 if( bStarFlag )
                 {
-                    sStr.insert(k, rInfo.sStrArray[j][1]);
-                    sStr.insert(k, (sal_Unicode) 0x1B);
-                    bRes = true;
+                    bRes = lcl_insertStarFillChar( sStr, k, rInfo.sStrArray[j]);
                 }
                 break;
             case NF_SYMBOLTYPE_BLANK:
@@ -4464,9 +4476,7 @@ bool SvNumberformat::ImpNumberFillWithThousands( OUStringBuffer& sBuff,  // numb
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.insert(k, rInfo.sStrArray[j][1]);
-                sBuff.insert(k, (sal_Unicode) 0x1B);
-                bRes = true;
+                bRes = lcl_insertStarFillChar( sBuff, k, rInfo.sStrArray[j]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
@@ -4640,9 +4650,7 @@ bool SvNumberformat::ImpNumberFill( OUStringBuffer& sBuff, // number string
         case NF_SYMBOLTYPE_STAR:
             if( bStarFlag )
             {
-                sBuff.insert(k, rInfo.sStrArray[j][1]);
-                sBuff.insert(k, sal_Unicode(0x1B));
-                bRes = true;
+                bRes = lcl_insertStarFillChar( sBuff, k, rInfo.sStrArray[j]);
             }
             break;
         case NF_SYMBOLTYPE_BLANK:
author	Eike Rathke <erack@redhat.com>	2014-08-18 14:09:20 +0200
committer	Andras Timar <andras.timar@collabora.com>	2014-08-21 21:24:44 +0200
commit	05798732d758e176a92ac07e7adff2321eb61f46 (patch)
tree	7bc698fcf25f6a9a13d48b2a9dded6913655691b /svl
parent	4704a686dcbada391db903fbb487a3fc5d60993e (diff)