From 008275d56f9ac5248f0e94f606671b4c1993ca20 Mon Sep 17 00:00:00 2001
From: Miklos Vajna <vmiklos@suse.cz>
Date: Wed, 3 Apr 2013 17:36:26 +0200
Subject: fdo#51916 out of bounds substring access

Change-Id: I7db46ef17b8aed443faa7eb0c13b6ba109242cc1
---
 writerfilter/source/rtftok/rtfdocumentimpl.cxx | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'writerfilter')

diff --git a/writerfilter/source/rtftok/rtfdocumentimpl.cxx b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
index 0714b1579a68..d10a5a0b7951 100644
--- a/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+++ b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
@@ -3940,11 +3940,14 @@ int RTFDocumentImpl::popState()
                 // extract default text
                 nLength = aStr.toChar();
                 aStr = aStr.copy(1);
-                OString aDefaultText = aStr.copy(0, nLength);
                 RTFValue::Pointer_t pNValue(new RTFValue(OStringToOUString(aName, aState.nCurrentEncoding)));
                 m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFData_name, pNValue);
-                RTFValue::Pointer_t pDValue(new RTFValue(OStringToOUString(aDefaultText, aState.nCurrentEncoding)));
-                m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFTextInput_default, pDValue);
+                if (nLength > 0)
+                {
+                    OString aDefaultText = aStr.copy(0, nLength);
+                    RTFValue::Pointer_t pDValue(new RTFValue(OStringToOUString(aDefaultText, aState.nCurrentEncoding)));
+                    m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFTextInput_default, pDValue);
+                }
 
                 m_bFormField = false;
             }
-- 
cgit