editeng: avoid writing past the end of of pLine->GetCharPosArray()

Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault. 0x00007ffff6df4951 in ?? () from /usr/lib64/libstdc++.so.6 (gdb) bt 10 #0 0x00007ffff6df4951 in () at /usr/lib64/libstdc++.so.6 #1 0x00007ffff6df5792 in __gnu_debug::_Error_formatter::_M_error() const () at /usr/lib64/libstdc++.so.6 #2 0x00007ffff47384bf in std::__debug::vector<int, std::allocator<int> >::operator[](unsigned long) (this=0x6b3dca0, __n=7) at /usr/include/c++/7/debug/vector:417 #3 0x00007ffff47b5440 in ImpEditEngine::ImpBreakLine(ParaPortion*, EditLine*, TextPortion const*, int, long, bool) (this= 0x1ce0040, pParaPortion=0x206a010, pLine=0x6b3dca0, pPortion=0x6b3e480, nPortionStart=0, nRemainingWidth=5093, bCanHyphenate=false) at editeng/source/editeng/impedit3.cxx:2041 #4 0x00007ffff47b1fb6 in ImpEditEngine::CreateLines(int, unsigned int) (this=0x1ce0040, nPara=0, nStartPosY=0) at editeng/source/editeng/impedit3.cxx:1352 #5 0x00007ffff47ad0c2 in ImpEditEngine::FormatDoc() (this=0x1ce0040) at editeng/source/editeng/impedit3.cxx:387 #6 0x00007ffff47bf516 in ImpEditEngine::FormatAndLayout(EditView*, bool) (this=0x1ce0040, pCurView=0x0, bCalledFromUndo=false) at editeng/source/editeng/impedit3.cxx:4190 #7 0x00007ffff47be333 in ImpEditEngine::SetUpdateLayout(bool, EditView*, bool) (this=0x1ce0040, bUp=true, pCurView=0x0, bForceUpdate=false) at editeng/source/editeng/impedit3.cxx:3927 #8 0x00007ffff46f059e in EditEngine::SetUpdateLayout(bool, bool) (this=0x1ce2b20, bUpdate=true, bRestoring=false) at editeng/source/editeng/editeng.cxx:1472 #9 0x00007ffff48ce5e3 in Outliner::SetText(OutlinerParaObject const&) (this=0x1ce0cc0, rPObj=...) at editeng/source/outliner/outliner.cxx:586 (More stack frames follow...) (gdb) frame 3 #3 0x00007ffff47b5440 in ImpEditEngine::ImpBreakLine (this=0x1ce0040, pParaPortion=0x206a010, pLine=0x6b3dca0, pPortion=0x6b3e480, nPortionStart=0, nRemainingWidth=5093, bCanHyphenate=false) at editeng/source/editeng/impedit3.cxx:2041 2041 pLine->GetCharPosArray()[ nPosInArray ] = rTP.GetSize().Width(); (gdb) print pLine->GetCharPosArray() [Thread 0x7fffd2010700 (LWP 5008) exited] $1 = std::__debug::vector of length 7, capacity 7 = {707, 1414, 2121, 2828, 3535, 4242, 4949} (gdb) print nPosInArray $2 = 7 Change-Id: I3a8121c0c0a3b0949e91eb53c0468f7e629b146f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128224 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com> Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
author: Miklos Vajna <vmiklos@collabora.com> 2022-01-10 13:38:46 +0100
committer: Mike Kaganski <mike.kaganski@collabora.com> 2022-01-11 12:16:54 +0100
commit: f0a907a62af92ea067f4442979d2c2891e46781e (patch)
tree: 35f824ae090aad2b151c0193659e043240821861
parent: lokCalcRTL: fix chart insertion position (diff)
download: core-f0a907a62af92ea067f4442979d2c2891e46781e.tar.gz
core-f0a907a62af92ea067f4442979d2c2891e46781e.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/editeng/source/editeng/impedit3.cxx b/editeng/source/editeng/impedit3.cxx
index b905c4ab4f27..233391d8d8e7 100644
--- a/editeng/source/editeng/impedit3.cxx
+++ b/editeng/source/editeng/impedit3.cxx
@@ -1486,7 +1486,10 @@ bool ImpEditEngine::CreateLines( sal_Int32 nPara, sal_uInt32 nStartPosY )
             TextPortion& rTP = pParaPortion->GetTextPortions()[pLine->GetEndPortion()];
             sal_Int32 nPosInArray = pLine->GetEnd()-1-pLine->GetStart();
             tools::Long nNewValue = ( nPosInArray ? pLine->GetCharPosArray()[ nPosInArray-1 ] : 0 ) + n;
-            pLine->GetCharPosArray()[ nPosInArray ] = nNewValue;
+            if (o3tl::make_unsigned(nPosInArray) < pLine->GetCharPosArray().size())
+            {
+                pLine->GetCharPosArray()[ nPosInArray ] = nNewValue;
+            }
             rTP.GetSize().AdjustWidth(n );
         }
 
@@ -2041,7 +2044,10 @@ void ImpEditEngine::ImpBreakLine( ParaPortion* pParaPortion, EditLine* pLine, Te
         DBG_ASSERT( nBreakPos > pLine->GetStart(), "SplitTextPortion at the beginning of the line?" );
         sal_Int32 nPosInArray = nBreakPos - 1 - pLine->GetStart();
         rTP.GetSize().setWidth( ( nPosInArray && ( rTP.GetLen() > 1 ) ) ? pLine->GetCharPosArray()[ nPosInArray-1 ] : 0 );
-        pLine->GetCharPosArray()[ nPosInArray ] = rTP.GetSize().Width();
+        if (o3tl::make_unsigned(nPosInArray) < pLine->GetCharPosArray().size())
+        {
+            pLine->GetCharPosArray()[ nPosInArray ] = rTP.GetSize().Width();
+        }
     }
     else if ( bHyphenated )
     {
author	Miklos Vajna <vmiklos@collabora.com>	2022-01-10 13:38:46 +0100
committer	Mike Kaganski <mike.kaganski@collabora.com>	2022-01-11 12:16:54 +0100
commit	f0a907a62af92ea067f4442979d2c2891e46781e (patch)
tree	35f824ae090aad2b151c0193659e043240821861
parent	lokCalcRTL: fix chart insertion position (diff)
download	core-f0a907a62af92ea067f4442979d2c2891e46781e.tar.gz core-f0a907a62af92ea067f4442979d2c2891e46781e.zip