online.git: 2 commits - engine/sc engine/vcl
0 views
Skip to first unread message
"Caolán McNamara (via cogerrit)"
May 24, 2026, 6:44:42 PM (22 hours ago) May 24
to collaboraon...@googlegroups.com
engine/sc/source/core/tool/token.cxx | 2 +-
engine/vcl/source/fontsubset/cff.cxx | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 988be8de0a6422a97a6beed4bec877b83b5b0682
Author: Caolán McNamara <caolan....@collabora.com>
AuthorDate: Sun May 24 19:04:57 2026 +0000
Commit: Caolán McNamara <caolan....@collabora.com>
CommitDate: Sun May 24 22:44:09 2026 +0000
ofz#516218705 Bad-cast
ScExternalSingleRefToken cast to its sibling ScExternalDoubleRefToken
to call GetTableName. The fields line up so the right string came back,
but UBSan flags the vptr mismatch.
Direct call to GetString became a cast to ScExternalDoubleRefToken since:
commit 65da502b7b40bd3bcad0cfd146716e815c72d48d
Date: Thu Apr 16 12:31:01 2026 +0200
reduce virtual calling in String*Token
Signed-off-by: Caolán McNamara <caolan....@collabora.com>
Change-Id: Id5d690fec60e52529f045779c40484df604b3e36
Reviewed-on: https://gerrit.collaboraoffice.com/c/online/+/3170
Reviewed-by: Noel Grandin <noel.g...@collabora.com>
Tested-by: Jenkins CPCI <rel...@collaboraoffice.com>
diff --git a/engine/sc/source/core/tool/token.cxx b/engine/sc/source/core/tool/token.cxx
index 93f5b9eefe54..e490d7c5c9ae 100644
--- a/engine/sc/source/core/tool/token.cxx
+++ b/engine/sc/source/core/tool/token.cxx
@@ -563,7 +563,7 @@ FormulaTokenRef extendRangeReference( ScSheetLimits& rLimits, FormulaToken & rTo
aRef.Ref2.SetFlag3D( false);
aRef.Extend(rLimits, rRef2, rPos);
if (bExternal)
- xRes = new ScExternalDoubleRefToken( static_cast<ScExternalSingleRefToken&>(rTok1).GetFileId(), static_cast<ScExternalDoubleRefToken&>(rTok1).GetTableName(), aRef);
+ xRes = new ScExternalDoubleRefToken( static_cast<ScExternalSingleRefToken&>(rTok1).GetFileId(), static_cast<ScExternalSingleRefToken&>(rTok1).GetTableName(), aRef);
else
xRes = new ScDoubleRefToken(rLimits, aRef);
}
commit 51fa2756479e99d1fc8d804d50bfd969d582ebdd
Author: Caolán McNamara <caolan....@collabora.com>
AuthorDate: Fri May 15 14:47:43 2026 +0100
Commit: Caolán McNamara <caolan....@collabora.com>
CommitDate: Sun May 24 22:43:50 2026 +0000
ofz: check for failure here too
Signed-off-by: Caolán McNamara <caolan....@collabora.com>
Change-Id: Ib48de81390607918e58d200a65b869b18c58e8b1
Reviewed-on: https://gerrit.collaboraoffice.com/c/online/+/3162
Reviewed-by: Noel Grandin <noel.g...@collabora.com>
Tested-by: Jenkins CPCI <rel...@collaboraoffice.com>
diff --git a/engine/vcl/source/fontsubset/cff.cxx b/engine/vcl/source/fontsubset/cff.cxx
index 7f8ce89461db..16256aedc2ce 100644
--- a/engine/vcl/source/fontsubset/cff.cxx
+++ b/engine/vcl/source/fontsubset/cff.cxx
@@ -1734,6 +1734,11 @@ RealType CffContext::readRealVal()
// nNumber * 10 + 9 must fit in S64; anything beyond is a malformed
constexpr S64 nDigitCap = (SAL_MAX_INT64 - 9) / 10;
for(;;){
+ if (mpReadPtr >= mpReadEnd) {
+ SAL_WARN("vcl.fonts.cff", "truncated CFF dict real number");
+ abandonDictParse();
+ return 0.0;
+ }
const U8 c = *(mpReadPtr++); // read nibbles
// parse high nibble
const U8 nH = c >> 4U;
engine/vcl/source/fontsubset/cff.cxx | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 988be8de0a6422a97a6beed4bec877b83b5b0682
Author: Caolán McNamara <caolan....@collabora.com>
AuthorDate: Sun May 24 19:04:57 2026 +0000
Commit: Caolán McNamara <caolan....@collabora.com>
CommitDate: Sun May 24 22:44:09 2026 +0000
ofz#516218705 Bad-cast
ScExternalSingleRefToken cast to its sibling ScExternalDoubleRefToken
to call GetTableName. The fields line up so the right string came back,
but UBSan flags the vptr mismatch.
Direct call to GetString became a cast to ScExternalDoubleRefToken since:
commit 65da502b7b40bd3bcad0cfd146716e815c72d48d
Date: Thu Apr 16 12:31:01 2026 +0200
reduce virtual calling in String*Token
Signed-off-by: Caolán McNamara <caolan....@collabora.com>
Change-Id: Id5d690fec60e52529f045779c40484df604b3e36
Reviewed-on: https://gerrit.collaboraoffice.com/c/online/+/3170
Reviewed-by: Noel Grandin <noel.g...@collabora.com>
Tested-by: Jenkins CPCI <rel...@collaboraoffice.com>
diff --git a/engine/sc/source/core/tool/token.cxx b/engine/sc/source/core/tool/token.cxx
index 93f5b9eefe54..e490d7c5c9ae 100644
--- a/engine/sc/source/core/tool/token.cxx
+++ b/engine/sc/source/core/tool/token.cxx
@@ -563,7 +563,7 @@ FormulaTokenRef extendRangeReference( ScSheetLimits& rLimits, FormulaToken & rTo
aRef.Ref2.SetFlag3D( false);
aRef.Extend(rLimits, rRef2, rPos);
if (bExternal)
- xRes = new ScExternalDoubleRefToken( static_cast<ScExternalSingleRefToken&>(rTok1).GetFileId(), static_cast<ScExternalDoubleRefToken&>(rTok1).GetTableName(), aRef);
+ xRes = new ScExternalDoubleRefToken( static_cast<ScExternalSingleRefToken&>(rTok1).GetFileId(), static_cast<ScExternalSingleRefToken&>(rTok1).GetTableName(), aRef);
else
xRes = new ScDoubleRefToken(rLimits, aRef);
}
commit 51fa2756479e99d1fc8d804d50bfd969d582ebdd
Author: Caolán McNamara <caolan....@collabora.com>
AuthorDate: Fri May 15 14:47:43 2026 +0100
Commit: Caolán McNamara <caolan....@collabora.com>
CommitDate: Sun May 24 22:43:50 2026 +0000
ofz: check for failure here too
Signed-off-by: Caolán McNamara <caolan....@collabora.com>
Change-Id: Ib48de81390607918e58d200a65b869b18c58e8b1
Reviewed-on: https://gerrit.collaboraoffice.com/c/online/+/3162
Reviewed-by: Noel Grandin <noel.g...@collabora.com>
Tested-by: Jenkins CPCI <rel...@collaboraoffice.com>
diff --git a/engine/vcl/source/fontsubset/cff.cxx b/engine/vcl/source/fontsubset/cff.cxx
index 7f8ce89461db..16256aedc2ce 100644
--- a/engine/vcl/source/fontsubset/cff.cxx
+++ b/engine/vcl/source/fontsubset/cff.cxx
@@ -1734,6 +1734,11 @@ RealType CffContext::readRealVal()
// nNumber * 10 + 9 must fit in S64; anything beyond is a malformed
constexpr S64 nDigitCap = (SAL_MAX_INT64 - 9) / 10;
for(;;){
+ if (mpReadPtr >= mpReadEnd) {
+ SAL_WARN("vcl.fonts.cff", "truncated CFF dict real number");
+ abandonDictParse();
+ return 0.0;
+ }
const U8 c = *(mpReadPtr++); // read nibbles
// parse high nibble
const U8 nH = c >> 4U;
Reply all
Reply to author
Forward
0 new messages