RTF picture sizes are 32-bit signed

...not 16-bit unsigned.  Word2007RTFSpec9.docx states "A small number of control
words take values in the range −2,147,483,648 to 2,147,483,647 (32-bit signed
integer)." and for \picwN, \pichN, \picwgoalN, and \pichgoalN it states "The N
argument is a long integer."

This was found with Clang's new -fsanitize=implicit-conversion during
CppunitTest_writerfilter_rtftok, where
writerfilter/qa/cppunittests/rtftok/data/pass/TCI-TN65GP-DDRHDLL-partial.rtf
contains "\pich81306":

> Testing file:///home/sbergman/lo/core/writerfilter/qa/cppunittests/rtftok/data/pass/TCI-TN65GP-DDRHDLL-partial.rtf:
[...]
> writerfilter/source/rtftok/rtfdispatchvalue.cxx:770:48: runtime error: implicit conversion from type 'int' of value 81306 (32-bit, signed) to type 'sal_uInt16' (aka 'unsigned short') changed the value to 15770 (16-bit, unsigned)
>  #0 in writerfilter::rtftok::RTFDocumentImpl::dispatchValue(writerfilter::rtftok::RTFKeyword, int) at writerfilter/source/rtftok/rtfdispatchvalue.cxx:770:48 (instdir/program/libwriterfilterlo.so +0xb96f2f)
>  #1 in writerfilter::rtftok::RTFTokenizer::dispatchKeyword(rtl::OString const&, bool, int) at writerfilter/source/rtftok/rtftokenizer.cxx:311:29 (instdir/program/libwriterfilterlo.so +0xd86c93)
>  #2 in writerfilter::rtftok::RTFTokenizer::resolveKeyword() at writerfilter/source/rtftok/rtftokenizer.cxx:243:12 (instdir/program/libwriterfilterlo.so +0xd84b06)
>  #3 in writerfilter::rtftok::RTFTokenizer::resolveParse() at writerfilter/source/rtftok/rtftokenizer.cxx:123:27 (instdir/program/libwriterfilterlo.so +0xd8299a)
>  #4 in writerfilter::rtftok::RTFDocumentImpl::resolve(writerfilter::Stream&) at writerfilter/source/rtftok/rtfdocumentimpl.cxx:786:27 (instdir/program/libwriterfilterlo.so +0xbf03bd)
>  #5 in RtfFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at writerfilter/source/filter/RtfFilter.cxx:144:20 (instdir/program/libwriterfilterlo.so +0x132d911)
>  #6 in RtfTest::load(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) at writerfilter/qa/cppunittests/rtftok/testrtftok.cxx:58:27 (workdir/LinkTarget/CppunitTest/libtest_writerfilter_rtftok.so +0x15c6e)
>  #7 in test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) at unotest/source/cpp/filters-test.cxx:130:20 (workdir/LinkTarget/CppunitTest/../Library/libunotest.so +0x5724c)
>  #8 in test::FiltersTest::testDir(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) at unotest/source/cpp/filters-test.cxx:155:5 (workdir/LinkTarget/CppunitTest/../Library/libunotest.so +0x57ec9)
>  #9 in RtfTest::test() at writerfilter/qa/cppunittests/rtftok/testrtftok.cxx:78:5 (workdir/LinkTarget/CppunitTest/libtest_writerfilter_rtftok.so +0x16214)

(Needs to add o3tl::clamp as a compatibility wrapper for C++17 std::clamp.)

Change-Id: I515e70a435c2585777062fd5a27d1de8ddbe1b74
Reviewed-on: https://gerrit.libreoffice.org/59038Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins

include/o3tl/clamp.hxx

+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef INCLUDED_O3TL_CLAMP_HXX
+#define INCLUDED_O3TL_CLAMP_HXX
+
+#include <sal/config.h>
+
+#include <algorithm>
+#include <cassert>
+
+#include <config_global.h>
+
+// C++17 std::clamp
+
+namespace o3tl
+{
+#if defined __cpp_lib_clamp
+
+using std::clamp;
+
+#else
+
+template <typename T> constexpr const T& clamp(const T& v, const T& lo, const T& hi)
+{
+#if HAVE_CXX14_CONSTEXPR
+    assert(!(hi < lo));
+#endif
+    return v < lo ? lo : (hi < v ? hi : v);
+}
+
+#endif
+}
+
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */

writerfilter/source/rtftok/rtfdocumentimpl.cxx

@@ -14,6 +14,7 @@
 #include <com/sun/star/lang/XServiceInfo.hpp>
 #include <com/sun/star/text/WrapTextMode.hpp>
 #include <com/sun/star/text/TextContentAnchorType.hpp>
+#include <o3tl/clamp.hxx>
 #include <unotools/ucbstreamhelper.hxx>
 #include <unotools/streamwrap.hxx>
 #include <com/sun/star/drawing/XDrawPageSupplier.hpp>
@@ -875,8 +876,12 @@ void RTFDocumentImpl::resolvePict(bool const bInline, uno::Reference<drawing::XS
     uno::Reference<io::XInputStream> xInputStream(new utl::OInputStreamWrapper(pStream));
     WmfExternal aExtHeader;
     aExtHeader.mapMode = m_aStates.top().aPicture.eWMetafile;
-    aExtHeader.xExt = m_aStates.top().aPicture.nWidth;
-    aExtHeader.yExt = m_aStates.top().aPicture.nHeight;
+    aExtHeader.xExt = sal_uInt16(
+        o3tl::clamp<sal_Int32>(m_aStates.top().aPicture.nWidth, 0,
+                               SAL_MAX_UINT16)); //TODO: better way to handle out-of-bounds values?
+    aExtHeader.yExt = sal_uInt16(
+        o3tl::clamp<sal_Int32>(m_aStates.top().aPicture.nHeight, 0,
+                               SAL_MAX_UINT16)); //TODO: better way to handle out-of-bounds values?
     WmfExternal* pExtHeader = &aExtHeader;
     uno::Reference<lang::XServiceInfo> xServiceInfo(m_aStates.top().aDrawingObject.xShape,
                                                     uno::UNO_QUERY);

writerfilter/source/rtftok/rtfdocumentimpl.hxx

@@ -226,10 +226,10 @@ class RTFPicture : public virtual SvRefBase
 {
 public:
     RTFPicture();
-    sal_uInt16 nWidth = 0;
-    sal_uInt16 nHeight = 0;
-    sal_uInt16 nGoalWidth = 0;
-    sal_uInt16 nGoalHeight = 0;
+    sal_Int32 nWidth = 0;
+    sal_Int32 nHeight = 0;
+    sal_Int32 nGoalWidth = 0;
+    sal_Int32 nGoalHeight = 0;
     sal_uInt16 nScaleX = 100;
     sal_uInt16 nScaleY = 100;
     short nCropT = 0;