From e095af113f72e53b984c2862e9ff0e9bf1da3e4a Mon Sep 17 00:00:00 2001 From: Michael Meeks Date: Sat, 8 Jun 2024 14:38:34 +0100 Subject: [PATCH] Avoid potential negative array index access to cached text. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit if ((nIndex != 0 || nLen != text.getLength()) && !skipGlyphSubsets) seems unlikely to protect us from this: /opt/rh/devtoolset-12/root/usr/include/c++/12/string_view:239: constexpr const std::basic_string_view<_CharT, _Traits>::value_type& std::basic_string_view<_CharT, _Traits>::operator[](size_type) const [with _CharT = char16_t; _Traits = std::char_traits; const_reference = const char16_t&; size_type = long unsigned int]: Assertion '__pos < this->_M_len' failed. coolwsd[16958] ... SIG Fatal signal received: SIGABRT code: 18446744073709551610 for address: 0x7300004e16 SalLayoutGlyphsCache::GetLayoutGlyphs(VclPtr, rtl::OUString const&, int, int, long, vcl::text::TextLayoutCache const*) /home/collabora/jenkins/workspace/build_core_co-24.04_for_online_snapshot/vcl/source/gdi/impglyphitem.cxx:399 GetTextArray(OutputDevice const&, rtl::OUString const&, KernArray&, int, int, bool, vcl::text::TextLayoutCache const*) /home/collabora/jenkins/workspace/build_core_co-24.04_for_online_snapshot/include/rtl/ref.hxx:128 SwFntObj::GetTextSize(SwDrawTextInfo&) /home/collabora/jenkins/workspace/build_core_co-24.04_for_online_snapshot/sw/source/core/txtnode/fntcache.cxx:766 SwSubFont::GetTextSize_(SwDrawTextInfo&) /home/collabora/jenkins/workspace/build_core_co-24.04_for_online_snapshot/sw/source/core/txtnode/swfont.cxx:1022 SwTextSizeInfo::GetTextSize() const /home/collabora/jenkins/workspace/build_core_co-24.04_for_online_snapshot/sw/source/core/inc/swfont.hxx:314 blind fix - but seeing a lot of these. Change-Id: Icb6ca25e4b8c6ef8a5e5b89dfa01b56bb788378d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168575 Tested-by: Jenkins CollaboraOffice Tested-by: Caolán McNamara Reviewed-by: Caolán McNamara --- vcl/source/gdi/impglyphitem.cxx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vcl/source/gdi/impglyphitem.cxx b/vcl/source/gdi/impglyphitem.cxx index ca8016a1925d..e50948077f45 100644 --- a/vcl/source/gdi/impglyphitem.cxx +++ b/vcl/source/gdi/impglyphitem.cxx @@ -379,7 +379,7 @@ SalLayoutGlyphsCache::GetLayoutGlyphs(VclPtr outputDevice, c if (mLastSubstringKey.has_value() && !bAbortOnFontSubstitute) { sal_Int32 pos = nIndex; - if (mLastSubstringKey->len < pos && text[pos - 1] == nbSpace) + if (mLastSubstringKey->len < pos && pos > 0 && text[pos - 1] == nbSpace) --pos; // Writer skips a non-breaking space, so skip that character too. if ((mLastSubstringKey->len == pos || mLastSubstringKey->index == nIndex) && mLastSubstringKey -- 2.11.4.GIT