sw/source/filter/md/swmd.cxx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
New commits: commit 76836e39caf91e56bf63ec9cb2b1c1acf732e6b9 Author: Stephan Bergmann <[email protected]> AuthorDate: Tue Feb 17 08:15:41 2026 +0100 Commit: Stephan Bergmann <[email protected]> CommitDate: Tue Feb 17 09:37:20 2026 +0100 Avoid heap-buffer-overflow internally in md4c ...as seen during CppunitTest_sw_filter_md, > ==1418747==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7b9a07967527 at pc 0x560f1d4a7b22 bp 0x7ffdd9a75f10 sp 0x7ffdd9a756d0 > READ of size 24 at 0x7b9a07967527 thread T0 > #0 in strcspn at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:806:5 > #1 in md_analyze_line at workdir/UnpackedTarball/md4c/src/md4c.c:6230:26 > #2 in md_process_doc at workdir/UnpackedTarball/md4c/src/md4c.c:6404:18 > #3 in md_parse at workdir/UnpackedTarball/md4c/src/md4c.c:6483:11 > #4 in SwMarkdownParser::CallParser() at sw/source/filter/md/swmd.cxx:955:18 > #5 in MarkdownReader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) at sw/source/filter/md/swmd.cxx:838:19 > #6 in SwReader::Read(Reader const&) at sw/source/filter/basflt/shellio.cxx:209:26 > #7 in SwDocShell::ConvertFrom(SfxMedium&) at sw/source/uibase/app/docsh.cxx:230:29 > #8 in SfxObjectShell::DoLoad(SfxMedium*) at sfx2/source/doc/objstor.cxx:786:27 > #9 in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sfx2/source/doc/sfxbasemodel.cxx:1982:36 > #10 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:774:28 > #11 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1180:37 > #12 in framework::LoadEnv::start() at framework/source/loadenv/loadenv.cxx:416:20 > #13 in framework::LoadEnv::startLoading(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, rtl::OUString const&, int, LoadEnvFeatures) at framework/source/loadenv/loadenv.cxx:312:5 > #14 in framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/loadenv/loadenv.cxx:168:14 > #15 in framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx:594:16 > #16 in non-virtual thunk to framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx > #17 in unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at unotest/source/cpp/macros_test.cxx:75:62 > #18 in UnoApiTest::loadFromURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, char const*) at test/source/unoapi_test.cxx:271:19 > #19 in SwModelTestBase::loadURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, char const*) at sw/qa/unit/swmodeltestbase.cxx:382:5 > #20 in SwModelTestBase::createSwDoc(char const*, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, char const*) at sw/qa/unit/swmodeltestbase.cxx:423:9 > #21 in testBlockQuoteMdImport::TestBody() at sw/qa/filter/md/md.cxx:418:5 > > 0x7b9a07967527 is located 0 bytes after 23-byte region [0x7b9a07967510,0x7b9a07967527) > allocated by thread T0 here: > #0 in operator new[](unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:111:37 > #1 in SwMarkdownParser::CallParser() at sw/source/filter/md/swmd.cxx:924:26 > #2 in MarkdownReader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) at sw/source/filter/md/swmd.cxx:838:19 > #3 in SwReader::Read(Reader const&) at sw/source/filter/basflt/shellio.cxx:209:26 > #4 in SwDocShell::ConvertFrom(SfxMedium&) at sw/source/uibase/app/docsh.cxx:230:29 > #5 in SfxObjectShell::DoLoad(SfxMedium*) at sfx2/source/doc/objstor.cxx:786:27 > #6 in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sfx2/source/doc/sfxbasemodel.cxx:1982:36 > #7 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:774:28 > #8 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1180:37 > #9 in framework::LoadEnv::start() at framework/source/loadenv/loadenv.cxx:416:20 > #10 in framework::LoadEnv::startLoading(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, rtl::OUString const&, int, LoadEnvFeatures) at framework/source/loadenv/loadenv.cxx:312:5 > #11 in framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/loadenv/loadenv.cxx:168:14 > #12 in framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx:594:16 > #13 in non-virtual thunk to framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx > #14 in unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at unotest/source/cpp/macros_test.cxx:75:62 > #15 in UnoApiTest::loadFromURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, char const*) at test/source/unoapi_test.cxx:271:19 > #16 in SwModelTestBase::loadURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, char const*) at sw/qa/unit/swmodeltestbase.cxx:382:5 > #17 in SwModelTestBase::createSwDoc(char const*, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, char const*) at sw/qa/unit/swmodeltestbase.cxx:423:9 > #18 in testBlockQuoteMdImport::TestBody() at sw/qa/filter/md/md.cxx:418:5 Change-Id: I16c38a59a5c27d83906ec765c5382b2d2bf375e4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/199515 Reviewed-by: Stephan Bergmann <[email protected]> Tested-by: Jenkins diff --git a/sw/source/filter/md/swmd.cxx b/sw/source/filter/md/swmd.cxx index 71ca58dbc443..1b410ab17448 100644 --- a/sw/source/filter/md/swmd.cxx +++ b/sw/source/filter/md/swmd.cxx @@ -921,8 +921,12 @@ ErrCode SwMarkdownParser::CallParser() if (sUtf8Data.getLength()) { m_nFilesize = sUtf8Data.getLength(); - m_pArr.reset(new char[m_nFilesize]); + m_pArr.reset(new char[m_nFilesize + 1]); memcpy(m_pArr.get(), sUtf8Data.getStr(), m_nFilesize); + //HACK: At least the implementation of md4c 0.5.2 apparently expects the passed-in + // memory to be null-terminated (it calls e.g. strcspn on it), so pass in an additional + // byte: + m_pArr[m_nFilesize] = 0; } else {
