[Libreoffice-commits] core.git: Branch 'libreoffice-7-5' - sc/source

[Stephan Bergmann (via logerrit)]

 sc/source/core/tool/reffind.cxx |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit c7c7f1c39630890f0c6eadbf9cd44b3ba88f9d81
Author:     Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Tue Apr 11 10:35:36 2023 +0200
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Tue Apr 11 20:39:03 2023 +0200

    Fix heap-buffer-overflow
    
    ...during CppunitTest_sc_ucalc, after 
40e3e9fd1c501cc1978d4370b6392701ccd42a71
    "tdf#113027 - Allow cycling cell reference types including whitespaces",
    
    > ==5140==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x604000cfba74 at pc 0x7f36cb07ef6e bp 0x7ffd061d34d0 sp 0x7ffd061d34c8
    > READ of size 2 at 0x604000cfba74 thread T0
    >     #0 0x7f36cb07ef6d in (anonymous namespace)::FindEndPosR1C1(char16_t 
const*, int, int) /sc/source/core/tool/reffind.cxx:91:13
    >     #1 0x7f36cb07cf0f in (anonymous namespace)::FindEndPos(char16_t 
const*, int, int, formula::FormulaGrammar::AddressConvention) 
/sc/source/core/tool/reffind.cxx:126:20
    >     #2 0x7f36cb07b029 in ScRefFinder::ToggleRel(int, int) 
/sc/source/core/tool/reffind.cxx:262:28
    >     #3 0x7f36c7b8482b in testTdf113027::TestBody() 
/sc/qa/unit/ucalc.cxx:467:13
    >
    > 0x604000cfba74 is located 0 bytes to the right of 36-byte region 
[0x604000cfba50,0x604000cfba74)
    > allocated by thread T0 here:
    >     #0 0x4b7c20 in malloc 
/home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    >     #1 0x7f371b927c59 in _rtl_uString* rtl::str::Alloc<_rtl_uString>(int) 
/sal/rtl/strtmpl.hxx:833:46
    >     #2 0x7f371b92640f in void 
rtl::str::newFromStr_WithLength<_rtl_uString, char>(_rtl_uString**, char 
const*, int, int) /sal/rtl/strtmpl.hxx:947:15
    >     #3 0x7f371b9797f0 in rtl_uString_newFromLiteral 
/sal/rtl/ustring.cxx:1252:5
    >     #4 0x7f36c7dab771 in rtl::OUString::OUString<char const [14]>(char 
const (&) [14], rtl::libreoffice_internal::ConstCharArrayDetector<char const 
[14], rtl::libreoffice_internal::Dummy>::Type) /include/rtl/ustring.hxx:365:13
    >     #5 0x7f36c7b843e8 in testTdf113027::TestBody() 
/sc/qa/unit/ucalc.cxx:462:31
    
    (<https://ci.libreoffice.org/job/lo_ubsan/2739/>)
    
    Change-Id: Ie8d053cdb56bdf00bf21663b05521eca632ddfbc
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150219
    Reviewed-by: Andreas Heinisch <andreas.heini...@yahoo.de>
    Tested-by: Jenkins
    (cherry picked from commit dc80c92a1e63fd88560fd77261b96f6c5be97273)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150199
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/sc/source/core/tool/reffind.cxx b/sc/source/core/tool/reffind.cxx
index c2851c7ff247..63c53a4f5e57 100644
--- a/sc/source/core/tool/reffind.cxx
+++ b/sc/source/core/tool/reffind.cxx
@@ -91,7 +91,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32 
nStartPos, sal_Int32 nE
         if (*p == '\'')
         {
             // Skip until the closing quote.
-            for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd)
+            for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd)
                 if (*p == '\'')
                     break;
             if (nNewEnd > nEndPos)
@@ -100,7 +100,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32 
nStartPos, sal_Int32 nE
         else if (*p == '[')
         {
             // Skip until the closing bracket.
-            for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd)
+            for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd)
                 if (*p == ']')
                     break;
             if (nNewEnd > nEndPos)