This is an automated email from the ASF dual-hosted git repository.
jimjag pushed a commit to branch AOO41X
in repository https://gitbox.apache.org/repos/asf/openoffice.git
The following commit(s) were added to refs/heads/AOO41X by this push:
new ccdf8a5538 Fix crash, uninitialized-return, and buffer bugs in update
check and macOS x86 bridge
ccdf8a5538 is described below
commit ccdf8a5538941ccdf1bbcd656559403987847727
Author: Jim Jagielski <[email protected]>
AuthorDate: Mon Jun 8 05:03:15 2026 -0400
Fix crash, uninitialized-return, and buffer bugs in update check and macOS
x86 bridge
updateprotocol.cxx: guard XNodeList dereferences so a swallowed
XPathException no longer leaves a null reference to be dereferenced
(crash on malformed/hostile update descriptors); clear the list before
the relnote query so a thrown exception can't leave us iterating the
previous (sources) node list.
cpp2uno.cxx: the queryInterface fast-path guard used 'break', which
exited the switch and skipped the default case, returning an
uninitialized typelib_TypeClass. Guard the block with
'if (bHasHiddenReturn)' instead so control falls through to default and
eRet is always assigned.
updatecheck.cxx (getImageFromFileName): use bitwise '|' instead of
logical '||' when combining osl_Process flags; rewrite the trailing
CR/LF trim so it never reads/writes before the start of the buffer
(e.g. when osl_readFile returns 0 bytes).
Co-Authored-By: Claude Opus 4.8 <[email protected]>
---
.../source/cpp_uno/s5abi_macosx_x86-64/cpp2uno.cxx | 12 +++++++-----
main/extensions/source/update/check/updatecheck.cxx | 16 ++++++++--------
main/extensions/source/update/check/updateprotocol.cxx | 8 ++++++--
3 files changed, 21 insertions(+), 15 deletions(-)
diff --git a/main/bridges/source/cpp_uno/s5abi_macosx_x86-64/cpp2uno.cxx
b/main/bridges/source/cpp_uno/s5abi_macosx_x86-64/cpp2uno.cxx
index 533adb9740..ca7ab6e15d 100644
--- a/main/bridges/source/cpp_uno/s5abi_macosx_x86-64/cpp2uno.cxx
+++ b/main/bridges/source/cpp_uno/s5abi_macosx_x86-64/cpp2uno.cxx
@@ -339,11 +339,13 @@ extern "C" typelib_TypeClass cpp_vtable_call(
eRet = typelib_TypeClass_VOID;
break;
case 0: // queryInterface() opt
- // Only apply when hidden return is present:
- // gpreg[0]=ret, gpreg[1]=this, gpreg[2]=type
- // Without hidden return gpreg[2] is not the
type arg.
- if ( !bHasHiddenReturn )
- break;
+ // The fast path is only valid when a hidden
return param is
+ // present, i.e. gpreg[0]=ret, gpreg[1]=this,
gpreg[2]=type.
+ // Without it gpreg[2] is not the type arg, so
we must NOT take
+ // the shortcut. Note: we deliberately fall
through to default
+ // (not break) so the generic queryInterface()
is performed and
+ // eRet is always assigned.
+ if ( bHasHiddenReturn )
{
typelib_TypeDescription * pTD = 0;
TYPELIB_DANGER_GET( &pTD,
reinterpret_cast<Type *>( gpreg[2] )->getTypeLibType() );
diff --git a/main/extensions/source/update/check/updatecheck.cxx
b/main/extensions/source/update/check/updatecheck.cxx
index 90152bff5e..d8219bc8d1 100644
--- a/main/extensions/source/update/check/updatecheck.cxx
+++ b/main/extensions/source/update/check/updatecheck.cxx
@@ -157,7 +157,7 @@ rtl::OUString getImageFromFileName(const rtl::OUString&
aFile)
oslProcessError rc = osl_executeProcess_WithRedirectedIO(
aUnpackPath.pData, // [in] Image
name
&aSystemPath.pData, 1, // [in]
Arguments
- osl_Process_WAIT || osl_Process_NORMAL, // [in] Options
+ osl_Process_WAIT | osl_Process_NORMAL, // [in] Options
NULL, // [in]
Security
NULL, // [in]
Working directory
NULL, 0, // [in]
Environment variables
@@ -181,14 +181,14 @@ rtl::OUString getImageFromFileName(const rtl::OUString&
aFile)
rtl::OUString aImageName;
while( osl_File_E_None == osl_readFile(hOut, szBuffer,
nBytesToRead, &nBytesRead) )
{
+ // strip trailing CR/LF, but never read/write before
the
+ // start of the buffer (e.g. when nBytesRead == 0)
sal_Char *pc = szBuffer + nBytesRead;
- do
- {
- *pc = '\0'; --pc;
- }
- while( ('\n' == *pc) || ('\r' == *pc) );
-
- aImageName += rtl::OUString(szBuffer, pc - szBuffer +
1, osl_getThreadTextEncoding());
+ while( pc > szBuffer && ( '\n' == *(pc-1) || '\r' ==
*(pc-1) ) )
+ --pc;
+ *pc = '\0';
+
+ aImageName += rtl::OUString(szBuffer, pc - szBuffer,
osl_getThreadTextEncoding());
if( nBytesRead < nBytesToRead )
break;
diff --git a/main/extensions/source/update/check/updateprotocol.cxx
b/main/extensions/source/update/check/updateprotocol.cxx
index 2bd6d81813..4098e379b6 100644
--- a/main/extensions/source/update/check/updateprotocol.cxx
+++ b/main/extensions/source/update/check/updateprotocol.cxx
@@ -163,7 +163,8 @@ checkForUpdates(
UNISTRING("http://openoffice.bouncer.osuosl.org/?product=OpenOffice.org&os=solarissparcwjre&lang=en-US&version=2.2.1";)
) );
*/
- sal_Int32 i, imax = xNodeList->getLength();
+ // xNodeList may be null if selectNodeList() above threw and
was swallowed
+ sal_Int32 i, imax = xNodeList.is() ? xNodeList->getLength() :
0;
for( i = 0; i < imax; ++i )
{
uno::Reference< xml::dom::XNode > xNode2(
xNodeList->item(i) );
@@ -202,13 +203,16 @@ checkForUpdates(
o_rUpdateInfo.Description = aEntry.Description;
// Release Notes
+ // reset, so a swallowed exception below does not leave us
+ // iterating the previous (sources) node list
+ xNodeList.clear();
try {
xNodeList = xXPath->selectNodeList(xNode, aXPathExpression
+ UNISTRING("/inst:relnote"));
} catch (css::xml::xpath::XPathException &) {
// ignore
}
- imax = xNodeList->getLength();
+ imax = xNodeList.is() ? xNodeList->getLength() : 0;
for( i = 0; i < imax; ++i )
{
uno::Reference< xml::dom::XElement >
xRelNote(xNodeList->item(i), uno::UNO_QUERY);
