From 63be6df7988404687c9f52cf03eba946990fe7b1 Mon Sep 17 00:00:00 2001
Message-Id: <63be6df7988404687c9f52cf03eba946990fe7b1.1350656797.git.erack@erack.de>
From: Eike Rathke <erack@erack.de>
Date: Sat, 6 Aug 2011 01:39:24 +0200
Subject: [PATCH] fdo#39869 Fix memory exhaustion with String length of
 STRLEN_MAX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"

This is a multi-part message in MIME format.
--------------erAck-patch-parts
Content-Type: text/plain; charset=UTF-8; format=fixed
Content-Transfer-Encoding: 8bit

---
 editeng/source/editeng/impedit2.cxx |   18 +++++++++++-------
 1 files changed, 11 insertions(+), 7 deletions(-)


--------------erAck-patch-parts
Content-Type: text/x-patch; name="0001-fdo-39869-Fix-memory-exhaustion-with-String-length-o.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="0001-fdo-39869-Fix-memory-exhaustion-with-String-length-o.patch"

diff --git a/editeng/source/editeng/impedit2.cxx b/editeng/source/editeng/impedit2.cxx
index 789caee..9c8b9c7 100644
--- a/editeng/source/editeng/impedit2.cxx
+++ b/editeng/source/editeng/impedit2.cxx
@@ -2712,21 +2712,23 @@ EditPaM ImpEditEngine::ImpInsertText( EditSelection aCurSel, const XubString& rS
     // Token LINE_SEP query,
     // since the MAC-Compiler makes something else from \n !
 
-    sal_uInt16 nStart = 0;
+    // fdo#39869 The loop run variable must be capable to hold STRLEN_MAX+1,
+    // that with STRING32 would be SAL_MAX_INT32+1 but with 16-bit is 0xFFFF+1
+    sal_uInt32 nStart = 0;
     while ( nStart < aText.Len() )
     {
-        sal_uInt16 nEnd = aText.Search( LINE_SEP, nStart );
+        sal_uInt32 nEnd = aText.Search( LINE_SEP, static_cast<xub_StrLen>(nStart) );
         if ( nEnd == STRING_NOTFOUND )
             nEnd = aText.Len(); // not dereference!
 
         // Start == End => empty line
         if ( nEnd > nStart )
         {
-            XubString aLine( aText, nStart, nEnd-nStart );
+            XubString aLine( aText, nStart, static_cast<xub_StrLen>(nEnd-nStart) );
             xub_StrLen nChars = aPaM.GetNode()->Len() + aLine.Len();
             if ( nChars > MAXCHARSINPARA )
             {
-                sal_uInt16 nMaxNewChars = MAXCHARSINPARA-aPaM.GetNode()->Len();
+                xub_StrLen nMaxNewChars = MAXCHARSINPARA-aPaM.GetNode()->Len();
                 nEnd -= ( aLine.Len() - nMaxNewChars ); // Then the characters end up in the next paragraph.
                 aLine.Erase( nMaxNewChars );            // Delete the Rest...
             }
@@ -2737,15 +2739,17 @@ EditPaM ImpEditEngine::ImpInsertText( EditSelection aCurSel, const XubString& rS
                 aPaM = aEditDoc.InsertText( aPaM, aLine );
             else
             {
-                sal_uInt16 nStart2 = 0;
+                sal_uInt32 nStart2 = 0;
                 while ( nStart2 < aLine.Len() )
                 {
-                    sal_uInt16 nEnd2 = aLine.Search( '\t', nStart2 );
+                    sal_uInt32 nEnd2 = aLine.Search( '\t', static_cast<xub_StrLen>(nStart2) );
                     if ( nEnd2 == STRING_NOTFOUND )
                         nEnd2 = aLine.Len();    // not dereference!
 
                     if ( nEnd2 > nStart2 )
-                        aPaM = aEditDoc.InsertText( aPaM, XubString( aLine, nStart2, nEnd2-nStart2 ) );
+                        aPaM = aEditDoc.InsertText( aPaM, XubString( aLine,
+                                    static_cast<xub_StrLen>(nStart2),
+                                    static_cast<xub_StrLen>(nEnd2-nStart2) ) );
                     if ( nEnd2 < aLine.Len() )
                     {
                         aPaM = aEditDoc.InsertFeature( aPaM, aTabItem );

--------------erAck-patch-parts--