tdf#95298: corrected some out-of-bound accesses to array

the index variable m_FrameList used to reference the current frame uses the state EMTY_FRAMELIST to mark as invalid, which is the max integer number. Thus all usages have to be secured to not use m_FrameList if set to EMPTY_FRAMELIST. This was missing in some places. the max integer number. Thus all usages have to be secured to not use m_FrameList if set to EMPTY_FRAMELIST. This was missing in some places. Reviewed-on: https://gerrit.libreoffice.org/19753Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de> Cherry-picked from f0cef70c Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8 Reviewed-on: https://gerrit.libreoffice.org/19787Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>

tdf#95298: corrected some out-of-bound accesses to array
the index variable m_FrameList used to reference the current frame uses the state EMTY_FRAMELIST to mark as invalid, which is the max integer number. Thus all usages have to be secured to not use m_FrameList if set to EMPTY_FRAMELIST. This was missing in some places. the max integer number. Thus all usages have to be secured to not use m_FrameList if set to EMPTY_FRAMELIST. This was missing in some places. Reviewed-on: https://gerrit.libreoffice.org/19753Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de> Cherry-picked from f0cef70c Change-Id: Ie1cf4ae2cb79d821f634ec78b621a2647abc61a8 Reviewed-on: https://gerrit.libreoffice.org/19787Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
6b3b080f · Armin Le Grand · Caolán McNamara · c7a52086 · 6b3b080f
Kaydet (Commit) 6b3b080f authored Kas 03, 2015 tarafından Armin Le Grand Kaydeden (comit) Caolán McNamara Kas 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

animobjs.cxx sd/source/ui/dlg/animobjs.cxx +6 -4

No files found.
--- a/sd/source/ui/dlg/animobjs.cxx
+++ b/sd/source/ui/dlg/animobjs.cxx
@@ -430,7 +430,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *, pBtn )
    SdPage*     pPage = pMyDoc->GetSdPage(0, PK_STANDARD);
    SdrObject*  pObject;

-    if (pBtn == m_pBtnRemoveBitmap)
+    // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+    if (pBtn == m_pBtnRemoveBitmap && EMPTY_FRAMELIST  != m_nCurrentFrame)
    {
        delete m_FrameList[m_nCurrentFrame].first;
        delete m_FrameList[m_nCurrentFrame].second;
@@ -449,8 +450,8 @@ IMPL_LINK( AnimationWindow, ClickRemoveBitmapHdl, void *, pBtn )

        if (m_nCurrentFrame >= m_FrameList.size())
        {
-            assert(m_FrameList.empty());
-            m_nCurrentFrame = EMPTY_FRAMELIST;
+            // tdf#95298 last frame was deleted, try to use the one before it or go on empty state
+            m_nCurrentFrame = m_FrameList.empty() ? EMPTY_FRAMELIST : m_FrameList.size() - 1;
        }
    }
    else // delete everything
@@ -539,7 +540,8 @@ IMPL_LINK_NOARG(AnimationWindow, ModifyTimeHdl)

 void AnimationWindow::UpdateControl(bool const bDisableCtrls)
 {
-    if (!m_FrameList.empty())
+    // tdf#95298 check m_nCurrentFrame for EMPTY_FRAMELIST to avoid out-of-bound array access
+    if (!m_FrameList.empty() && EMPTY_FRAMELIST != m_nCurrentFrame)
    {
        BitmapEx aBmp(*m_FrameList[m_nCurrentFrame].first);