oox/source/drawingml/colorchoicecontext.cxx | 2 +-
sc/source/core/tool/reffind.cxx | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
New commits:
commit dc80c92a1e63fd88560fd77261b96f6c5be97273
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Tue Apr 11 10:35:36 2023 +0200
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Tue Apr 11 13:38:16 2023 +0200
Fix heap-buffer-overflow
...during CppunitTest_sc_ucalc, after
40e3e9fd1c501cc1978d4370b6392701ccd42a71
"tdf#113027 - Allow cycling cell reference types including whitespaces",
> ==5140==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x604000cfba74 at pc 0x7f36cb07ef6e bp 0x7ffd061d34d0 sp 0x7ffd061d34c8
> READ of size 2 at 0x604000cfba74 thread T0
> #0 0x7f36cb07ef6d in (anonymous namespace)::FindEndPosR1C1(char16_t
const*, int, int) /sc/source/core/tool/reffind.cxx:91:13
> #1 0x7f36cb07cf0f in (anonymous namespace)::FindEndPos(char16_t
const*, int, int, formula::FormulaGrammar::AddressConvention)
/sc/source/core/tool/reffind.cxx:126:20
> #2 0x7f36cb07b029 in ScRefFinder::ToggleRel(int, int)
/sc/source/core/tool/reffind.cxx:262:28
> #3 0x7f36c7b8482b in testTdf113027::TestBody()
/sc/qa/unit/ucalc.cxx:467:13
>
> 0x604000cfba74 is located 0 bytes to the right of 36-byte region
[0x604000cfba50,0x604000cfba74)
> allocated by thread T0 here:
> #0 0x4b7c20 in malloc
/home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
> #1 0x7f371b927c59 in _rtl_uString* rtl::str::Alloc<_rtl_uString>(int)
/sal/rtl/strtmpl.hxx:833:46
> #2 0x7f371b92640f in void
rtl::str::newFromStr_WithLength<_rtl_uString, char>(_rtl_uString**, char
const*, int, int) /sal/rtl/strtmpl.hxx:947:15
> #3 0x7f371b9797f0 in rtl_uString_newFromLiteral
/sal/rtl/ustring.cxx:1252:5
> #4 0x7f36c7dab771 in rtl::OUString::OUString<char const [14]>(char
const (&) [14], rtl::libreoffice_internal::ConstCharArrayDetector<char const
[14], rtl::libreoffice_internal::Dummy>::Type) /include/rtl/ustring.hxx:365:13
> #5 0x7f36c7b843e8 in testTdf113027::TestBody()
/sc/qa/unit/ucalc.cxx:462:31
(<https://ci.libreoffice.org/job/lo_ubsan/2739/>)
Change-Id: Ie8d053cdb56bdf00bf21663b05521eca632ddfbc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150219
Reviewed-by: Andreas Heinisch <andreas.heini...@yahoo.de>
Tested-by: Jenkins
diff --git a/sc/source/core/tool/reffind.cxx b/sc/source/core/tool/reffind.cxx
index ac080ae5a56e..10522310f851 100644
--- a/sc/source/core/tool/reffind.cxx
+++ b/sc/source/core/tool/reffind.cxx
@@ -91,7 +91,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32
nStartPos, sal_Int32 nE
if (*p == '\'')
{
// Skip until the closing quote.
- for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd)
+ for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd)
if (*p == '\'')
break;
if (nNewEnd > nEndPos)
@@ -100,7 +100,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32
nStartPos, sal_Int32 nE
else if (*p == '[')
{
// Skip until the closing bracket.
- for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd)
+ for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd)
if (*p == ']')
break;
if (nNewEnd > nEndPos)
commit d1fec382c82f65d49008676525ad7935f8ad9098
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Tue Apr 11 10:14:37 2023 +0200
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Tue Apr 11 13:38:04 2023 +0200
Avoid UB converting from double to sal_Int16
...e.g. during CppunitTest_sd_import_tests,
> /oox/source/drawingml/colorchoicecontext.cxx:280:78: runtime error: 35000
is outside the range of representable values of type 'short'
> #0 0x7f3b8abf6278 in
oox::drawingml::ColorValueContext::onCreateContext(int, oox::AttributeList
const&) /oox/source/drawingml/colorchoicecontext.cxx:280:78
> #1 0x7f3b8abf6534 in non-virtual thunk to
oox::drawingml::ColorValueContext::onCreateContext(int, oox::AttributeList
const&) /oox/source/drawingml/colorchoicecontext.cxx
> #2 0x7f3b8a94baff in
oox::core::ContextHandler2Helper::implCreateChildContext(int,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList>
const&) /oox/source/core/contexthandler2.cxx:100:34
> #3 0x7f3b8a94eabb in
oox::core::ContextHandler2::createFastChildContext(int,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList>
const&) /oox/source/core/contexthandler2.cxx:204:12
> #4 0x7f3b8a950484 in non-virtual thunk to
oox::core::ContextHandler2::createFastChildContext(int,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList>
const&) /oox/source/core/contexthandler2.cxx
> #5 0x7f3b43e81c45 in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:164:67
> #6 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #7 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #8 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #9 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #10 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #11 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #12 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #13 0x7f3b43e8299e in DOM::CElement::fastSaxify(DOM::Context&)
/unoxml/source/dom/element.cxx:181:20
> #14 0x7f3b43df8a50 in DOM::CDocument::fastSaxify(DOM::Context&)
/unoxml/source/dom/document.cxx:289:20
> #15 0x7f3b43e117af in
DOM::CDocument::fastSerialize(com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastDocumentHandler>
const&,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastTokenHandler>
const&, com::sun::star::uno::Sequence<com::sun::star::beans::StringPair>
const&,
com::sun::star::uno::Sequence<com::sun::star::beans::Pair<rtl::OUString, int> >
const&) /unoxml/source/dom/document.cxx:1023:9
> #16 0x7f3b8aa55f81 in
oox::core::XmlFilterBase::importFragment(rtl::Reference<oox::core::FragmentHandler>
const&,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastSAXSerializable>
const&) /oox/source/core/xmlfilterbase.cxx:470:23
> #17 0x7f3b8bd30d0f in
oox::ppt::PresentationFragmentHandler::importSlide(unsigned int, bool, bool)
/oox/source/ppt/presentationfragmenthandler.cxx:357:41
> #18 0x7f3b8bd3cd16 in
oox::ppt::PresentationFragmentHandler::finalizeImport()
/oox/source/ppt/presentationfragmenthandler.cxx:543:17
> #19 0x7f3b8a9f79ae in oox::core::FragmentHandler2::endDocument()
/oox/source/core/fragmenthandler2.cxx:53:5
> #20 0x7f3b548344f0 in
sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource
const&) /sax/source/fastparser/fastparser.cxx:897:36
> #21 0x7f3b54855150 in
sax_fastparser::FastSaxParser::parseStream(com::sun::star::xml::sax::InputSource
const&) /sax/source/fastparser/fastparser.cxx:1469:13
> #22 0x7f3b8a97ff11 in
oox::core::FastParser::parseStream(com::sun::star::xml::sax::InputSource
const&, bool) /oox/source/core/fastparser.cxx:121:15
> #23 0x7f3b8a9806a8 in
oox::core::FastParser::parseStream(com::sun::star::uno::Reference<com::sun::star::io::XInputStream>
const&, rtl::OUString const&) /oox/source/core/fastparser.cxx:129:5
> #24 0x7f3b8aa548a4 in
oox::core::XmlFilterBase::importFragment(rtl::Reference<oox::core::FragmentHandler>
const&, oox::core::FastParser&) /oox/source/core/xmlfilterbase.cxx:412:21
> #25 0x7f3b8aa531fd in
oox::core::XmlFilterBase::importFragment(rtl::Reference<oox::core::FragmentHandler>
const&) /oox/source/core/xmlfilterbase.cxx:342:12
> #26 0x7f3b8bcbaf54 in oox::ppt::PowerPointImport::importDocument()
/oox/source/ppt/pptimport.cxx:109:17
> #27 0x7f3b8a99493c in
oox::core::FilterBase::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /oox/source/core/filterbase.cxx:488:49
> #28 0x7f3b8bcbe067 in
oox::ppt::PowerPointImport::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /oox/source/ppt/pptimport.cxx:192:24
> #29 0x7f3b7a89c1c6 in SfxObjectShell::ImportFrom(SfxMedium&,
com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&)
/sfx2/source/doc/objstor.cxx:2272:34
> #30 0x7f3b82834e18 in sd::DrawDocShell::ImportFrom(SfxMedium&,
com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&)
/sd/source/ui/docshell/docshel4.cxx:429:39
> #31 0x7f3b7a85bd64 in SfxObjectShell::DoLoad(SfxMedium*)
/sfx2/source/doc/objstor.cxx:739:23
> #32 0x7f3b7aa63c10 in
SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /sfx2/source/doc/sfxbasemodel.cxx:1940:36
> #33 0x7f3b7b1c142c in (anonymous
namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&)
/sfx2/source/view/frmload.cxx:720:28
> #34 0x7f3b4ff0f5fb in framework::LoadEnv::impl_loadContent()
/framework/source/loadenv/loadenv.cxx:1176:37
> #35 0x7f3b4ff059fb in framework::LoadEnv::start()
/framework/source/loadenv/loadenv.cxx:412:20
> #36 0x7f3b4fefd8bc in framework::LoadEnv::startLoading(rtl::OUString
const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&,
rtl::OUString const&, int, LoadEnvFeatures)
/framework/source/loadenv/loadenv.cxx:308:5
> #37 0x7f3b4fef8c50 in
framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader>
const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext>
const&, rtl::OUString const&, rtl::OUString const&, int,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)
/framework/source/loadenv/loadenv.cxx:168:14
> #38 0x7f3b4ffc334d in
framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString
const&, int,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)
/framework/source/services/desktop.cxx:593:16
> #39 0x7f3b4ffc3576 in non-virtual thunk to
framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString
const&, int,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)
/framework/source/services/desktop.cxx
> #40 0x7f3b5feedd95 in
unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, rtl::OUString
const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /unotest/source/cpp/macros_test.cxx:71:62
> #41 0x7f3b75b0aef9 in UnoApiTest::load(rtl::OUString const&, char
const*) /test/source/unoapi_test.cxx:115:11
> #42 0x7f3b75b0baf4 in
UnoApiTest::loadFromURL(std::basic_string_view<char16_t,
std::char_traits<char16_t> >, char const*) /test/source/unoapi_test.cxx:127:5
> #43 0x7f3b95d2f402 in SdModelTestBase::createSdImpressDoc(char
const*, char const*) /sd/qa/unit/sdmodeltestbase.hxx:54:13
> #44 0x7f3b95d025c8 in testBnc584721_1::TestBody()
/sd/qa/unit/import-tests.cxx:1281:5
(<https://ci.libreoffice.org/job/lo_ubsan/2741/>).
Presumably it was just a typo that f707834e8538c0a183716b26ebdf04381482ca6d
"oox: write color transforms to model::ColorDefinition" used 10.0 rather
than 10
as divisor.
Change-Id: I42de6daaa6db86bf4444243ec2c9173d6d514b02
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150216
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
diff --git a/oox/source/drawingml/colorchoicecontext.cxx
b/oox/source/drawingml/colorchoicecontext.cxx
index 927ff41de9c0..1ee6b9afacad 100644
--- a/oox/source/drawingml/colorchoicecontext.cxx
+++ b/oox/source/drawingml/colorchoicecontext.cxx
@@ -277,7 +277,7 @@ void ColorValueContext::onStartElement( const
AttributeList& rAttribs )
else
nValue = rAttribs.getInteger(XML_val, 0);
- mpColorDefinition->maTransformations.push_back({eType,
sal_Int16(nValue / 10.0)});
+ mpColorDefinition->maTransformations.push_back({eType,
sal_Int16(nValue / 10)});
}
}
