[Libreoffice-commits] online.git: wsd/LOOLWSD.cpp

Thu, 16 Jul 2020 13:57:25 -0700 

 wsd/LOOLWSD.cpp |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

New commits:
commit 03697b3bb524e7517a8f778f951ef65d05805b9f
Author:     Tor Lillqvist <t...@collabora.com>
AuthorDate: Thu Jul 16 17:42:09 2020 +0300
Commit:     Tor Lillqvist <t...@collabora.com>
CommitDate: Thu Jul 16 22:56:47 2020 +0200

    The socket inbuffer is not nul terminated
    
    We can't just call strtoul() to parse the number at the end of the
    buffer. The buffer might be followed by other digits in memory. In
    that case we would get a completely wrong mobileAppDocId which will
    lead to a crash or assertion failure.
    
    Change-Id: I71c96323faa2b069009e5eda7a7153148b78094a
    Reviewed-on: https://gerrit.libreoffice.org/c/online/+/98914
    Tested-by: Jenkins
    Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
    Reviewed-by: Tor Lillqvist <t...@collabora.com>

diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 7c353e6b1..b61649970 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -2555,7 +2555,17 @@ private:
         // The "app document id", the numeric id of the document, from the 
appDocIdCounter in CODocument.mm.
         char *space = strchr(socket->getInBuffer().data(), ' ');
         assert(space != nullptr);
-        unsigned appDocId = std::strtoul(space + 1, nullptr, 10);
+
+        // The socket buffer is not nul-terminated so we can't just call 
strtoull() on the number at
+        // its end, it might be followed in memory by more digits. Is there 
really no better way to
+        // parse the number at the end of the buffer than to copy the bytes 
into a nul-terminated
+        // buffer?
+        const size_t appDocIdLen = (socket->getInBuffer().data() + 
socket->getInBuffer().size()) - (space + 1);
+        char *appDocIdBuffer = (char *)malloc(appDocIdLen + 1);
+        memcpy(appDocIdBuffer, space + 1, appDocIdLen);
+        appDocIdBuffer[appDocIdLen] = '\0';
+        unsigned appDocId = std::strtoul(appDocIdBuffer, nullptr, 10);
+        free(appDocIdBuffer);
 
         handleClientWsUpgrade(
             request, std::string(socket->getInBuffer().data(), space - 
socket->getInBuffer().data()),
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to