sc/source/filter/qpro/qproform.cxx | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
New commits:
commit e31f35c892b282258bd4ece30175e4bc48b6b823
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Thu Oct 17 14:52:16 2019 +0200
Commit: Michael Stahl <michael.st...@cib.de>
CommitDate: Fri Oct 18 11:06:19 2019 +0200
Don't use uninitialized memory when reading from the stream fails
Flathub arm builds (but not other arches) had often (but not always) failed
when
processing sc/qa/unit/data/qpro/pass/ofz14090-1.wb2 in
CppunitTest_sc_filters_test (e.g.,
<https://flathub.org/builds/#/builders/1/builds/724>:
> Test name: ScFiltersTest::testCVEs
> equality assertion failed
> - Expected: 1
> - Actual : 0
> - file:///run/build/libreoffice/sc/qa/unit/data/qpro/pass/ofz14090-1.wb2
) Valgrind revealed that this was due to using unintialized memory when the
various maIn.Read... in QProToSc::Convert failed, starting with the use of
uninitialized nFmla[i] after
maIn.ReadUChar( nFmla[i] );
At least make things deterministic by setting the relevant variables to
zero.
(Another approach could be returning early with some ConvErr status.)
Change-Id: I4c06aa8da5f777170cdc7bbe3ca1d61b23d3f326
Reviewed-on: https://gerrit.libreoffice.org/80947
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
(cherry picked from commit 2704b9e3783aae9d8372f2e3ad3253a2cb49ae87)
Reviewed-on: https://gerrit.libreoffice.org/80956
Reviewed-by: Michael Stahl <michael.st...@cib.de>
diff --git a/sc/source/filter/qpro/qproform.cxx
b/sc/source/filter/qpro/qproform.cxx
index bd1ea7fc092a..53e8d06f90d5 100644
--- a/sc/source/filter/qpro/qproform.cxx
+++ b/sc/source/filter/qpro/qproform.cxx
@@ -191,15 +191,14 @@ do { \
ConvErr QProToSc::Convert( std::unique_ptr<ScTokenArray>& pArray )
{
- sal_uInt8 nFmla[ nBufSize ], nArg;
+ sal_uInt8 nFmla[ nBufSize ];
sal_uInt8 nArgArray[ nBufSize ] = {0};
sal_Int8 nCol, nPage;
- sal_uInt16 nInt, nIntCount = 0, nStringCount = 0, nFloatCount = 0,
nDLLCount = 0, nArgCount = 0;
+ sal_uInt16 nIntCount = 0, nStringCount = 0, nFloatCount = 0, nDLLCount =
0, nArgCount = 0;
sal_uInt16 nIntArray[ nBufSize ] = {0};
OUString sStringArray[ nBufSize ];
- sal_uInt16 nDummy, nDLLId;
sal_uInt16 nDLLArray[ nBufSize ] = {0};
- sal_uInt16 nNote, nRef, nRelBits;
+ sal_uInt16 nNote, nRelBits;
TokenId nPush;
ScComplexRefData aCRD;
ScSingleRefData aSRD;
@@ -210,16 +209,19 @@ ConvErr QProToSc::Convert( std::unique_ptr<ScTokenArray>&
pArray )
aCRD.InitFlags();
aSRD.InitFlags();
+ sal_uInt16 nRef = 0;
maIn.ReadUInt16( nRef );
if( nRef < nBufSize )
{
for( sal_uInt16 i=0; i < nRef; i++)
{
+ nFmla[i] = 0;
maIn.ReadUChar( nFmla[i] );
if( nFmla[ i ] == 0x05 )
{
+ sal_uInt16 nInt = 0;
maIn.ReadUInt16( nInt );
nIntArray[ nIntCount ] = nInt;
SAFEDEC_OR_RET(nRef, 2, ConvErr::Count);
@@ -228,7 +230,7 @@ ConvErr QProToSc::Convert( std::unique_ptr<ScTokenArray>&
pArray )
if( nFmla[ i ] == 0x00 )
{
- double nFloat;
+ double nFloat = 0;
maIn.ReadDouble( nFloat );
nFloatArray[ nFloatCount ] = nFloat;
SAFEDEC_OR_RET(nRef, 8, ConvErr::Count);
@@ -237,6 +239,8 @@ ConvErr QProToSc::Convert( std::unique_ptr<ScTokenArray>&
pArray )
if( nFmla[ i ] == 0x1a )
{
+ sal_uInt8 nArg = 0;
+ sal_uInt16 nDummy, nDLLId = 0;
maIn.ReadUChar( nArg ).ReadUInt16( nDummy ).ReadUInt16( nDLLId
);
nArgArray[ nArgCount ] = nArg;
nDLLArray[ nDLLCount ] = nDLLId;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
