From e34b40bcd923027a26540e1a215c155ed0753472 Mon Sep 17 00:00:00 2001
Message-Id: <e34b40bcd923027a26540e1a215c155ed0753472.1361313167.git.erack@redhat.com>
From: Eike Rathke <erack@redhat.com>
Date: Tue, 19 Feb 2013 19:22:27 +0100
Subject: [PATCH] do not access vector elements beyond size, rhbz#847519
 related
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"

This is a multi-part message in MIME format.
--------------erAck-patch-parts
Content-Type: text/plain; charset=UTF-8; format=fixed
Content-Transfer-Encoding: 8bit


The actual bug (crash) is not triggered anymore because the categories
are assembled differently, nevertheless the code in question could
expose the same behavior under different preconditions.

Change-Id: Ic37f6b34effaf4e5252e80aab46b021547b36efb
(cherry picked from commit d1ba2cd612a4c39976e2980c7dc4e3fa38c88470)
---
 chart2/source/tools/ExplicitCategoriesProvider.cxx |   24 ++++++++++++-------
 1 files changed, 15 insertions(+), 9 deletions(-)


--------------erAck-patch-parts
Content-Type: text/x-patch; name="0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch"

diff --git a/chart2/source/tools/ExplicitCategoriesProvider.cxx b/chart2/source/tools/ExplicitCategoriesProvider.cxx
index e3d800f..00b481c 100644
--- a/chart2/source/tools/ExplicitCategoriesProvider.cxx
+++ b/chart2/source/tools/ExplicitCategoriesProvider.cxx
@@ -353,11 +353,14 @@ Sequence< OUString > lcl_getExplicitSimpleCategories(
         }
         for( aOuterIt=rComplexCats.begin(); aOuterIt != aOuterEnd; ++aOuterIt )
         {
-            sal_Int32 nCurrentCount = lcl_getCategoryCount( *aOuterIt );
-            if( nCurrentCount< nMaxCategoryCount )
+            if ( !aOuterIt->empty() )
             {
-                ComplexCategory& rComplexCategory = aOuterIt->back();
-                rComplexCategory.Count += (nMaxCategoryCount-nCurrentCount);
+                sal_Int32 nCurrentCount = lcl_getCategoryCount( *aOuterIt );
+                if( nCurrentCount< nMaxCategoryCount )
+                {
+                    ComplexCategory& rComplexCategory = aOuterIt->back();
+                    rComplexCategory.Count += (nMaxCategoryCount-nCurrentCount);
+                }
             }
         }
     }
@@ -389,12 +392,15 @@ Sequence< OUString > lcl_getExplicitSimpleCategories(
             OUString aText;
             for( aOuterIt=aComplexCatsPerIndex.begin() ; aOuterIt != aOuterEnd; ++aOuterIt )
             {
-                OUString aAddText = (*aOuterIt)[nN].Text;
-                if( !aAddText.isEmpty() )
+                if ( static_cast<size_t>(nN) < aOuterIt->size() )
                 {
-                    if(!aText.isEmpty())
-                        aText += aSpace;
-                    aText += aAddText;
+                    OUString aAddText = (*aOuterIt)[nN].Text;
+                    if( !aAddText.isEmpty() )
+                    {
+                        if(!aText.isEmpty())
+                            aText += aSpace;
+                        aText += aAddText;
+                    }
                 }
             }
             aRet[nN]=aText;

--------------erAck-patch-parts--