From 3fc4211a0f25543a947f1d47153f7c0a0be01a4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Thu, 26 Oct 2017 09:13:03 +0100
Subject: [PATCH] ofz#3811 Integer-overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Ia08ac1ae46d4af6df7b0a590752e17a6d9a6836e
Reviewed-on: https://gerrit.libreoffice.org/43869
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 filter/source/msfilter/svdfppt.cxx | 49 ++++++++++++++----------------
 1 file changed, 22 insertions(+), 27 deletions(-)

diff --git a/filter/source/msfilter/svdfppt.cxx b/filter/source/msfilter/svdfppt.cxx
index 5e6cfcca21a0..9d9b08b5b88f 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -6703,35 +6703,30 @@ PPTTextObj::PPTTextObj( SvStream& rIn, SdrPowerPointImport& rSdrPowerPointImport
                                         sal_uInt32 nCharIdx = pSpecInfo->nCharIdx;
 
                                         // portions and text have to been splitted in some cases
-                                        for ( ; nI < aStyleTextPropReader.aCharPropList.size(); )
+                                        for ( ; nI < aStyleTextPropReader.aCharPropList.size(); ++nI)
                                         {
-                                            PPTCharPropSet* pSet = aStyleTextPropReader.aCharPropList[ nI ];
-                                            if ( pSet->mnOriginalTextPos < nCharIdx )
-                                            {
-                                                pSet->mnLanguage[ 0 ] = pSpecInfo->nLanguage[ 0 ];
-                                                pSet->mnLanguage[ 1 ] = pSpecInfo->nLanguage[ 1 ];
-                                                pSet->mnLanguage[ 2 ] = pSpecInfo->nLanguage[ 2 ];
-                                                // test if the current portion needs to be splitted
-                                                if ( pSet->maString.getLength() > 1 )
-                                                {
-                                                    sal_Int32 nIndexOfNextPortion = pSet->maString.getLength() + pSet->mnOriginalTextPos;
-                                                    sal_Int32 nNewLen = nIndexOfNextPortion - nCharIdx;
-                                                    sal_Int32 nOldLen = pSet->maString.getLength() - nNewLen;
-
-                                                    if ( ( nNewLen > 0 ) && ( nOldLen > 0 ) )
-                                                    {
-                                                        OUString aString( pSet->maString );
-                                                        PPTCharPropSet* pNew = new PPTCharPropSet( *pSet );
-                                                        pSet->maString = aString.copy( 0, nOldLen);
-                                                        pNew->maString = aString.copy( nOldLen, nNewLen);
-                                                        pNew->mnOriginalTextPos += nOldLen;
-                                                        aStyleTextPropReader.aCharPropList.insert( aStyleTextPropReader.aCharPropList.begin() + nI + 1, pNew );
-                                                    }
-                                                }
-                                            }
-                                            else
+                                            PPTCharPropSet* pSet = aStyleTextPropReader.aCharPropList[nI];
+                                            if (pSet->mnOriginalTextPos >= nCharIdx)
                                                 break;
-                                            nI++;
+                                            pSet->mnLanguage[0] = pSpecInfo->nLanguage[0];
+                                            pSet->mnLanguage[1] = pSpecInfo->nLanguage[1];
+                                            pSet->mnLanguage[2] = pSpecInfo->nLanguage[2];
+                                            // test if the current portion needs to be splitted
+                                            if (pSet->maString.getLength() <= 1)
+                                                continue;
+                                            sal_Int32 nIndexOfNextPortion = pSet->maString.getLength() + pSet->mnOriginalTextPos;
+                                            sal_Int32 nNewLen = nIndexOfNextPortion - nCharIdx;
+                                            if (nNewLen <= 0)
+                                                continue;
+                                            sal_Int32 nOldLen = pSet->maString.getLength() - nNewLen;
+                                            if (nOldLen <= 0)
+                                                continue;
+                                            OUString aString(pSet->maString);
+                                            PPTCharPropSet* pNew = new PPTCharPropSet(*pSet);
+                                            pSet->maString = aString.copy(0, nOldLen);
+                                            pNew->maString = aString.copy(nOldLen, nNewLen);
+                                            pNew->mnOriginalTextPos += nOldLen;
+                                            aStyleTextPropReader.aCharPropList.insert(aStyleTextPropReader.aCharPropList.begin() + nI + 1, pNew);
                                         }
                                     }
                                 }