openoffice (cont.)


Example of buffer "over-read" bug in openoffice (found by our malloc):

if (strlen(p) <= 2)
        q = p + strlen(p) - 2;
if (...) {
        manipulate 'q'
        q--;
}

then q becomes smaller than p (invalid) and later it crashes. Fix:

if (q > p)
        q--;