[Libreoffice-bugs] [Bug 127648] LO on Linux crashes when accessing opend/locked File on SAMBA network share

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Fri Sep 20 22:24:23 UTC 2019 

https://bugs.documentfoundation.org/show_bug.cgi?id=127648

Julien Nabet <serval2412 at yahoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|1                           |0
                 CC|                            |noelgrandin at gmail.com,
                   |                            |sbergman at redhat.com
             Status|NEEDINFO                    |UNCONFIRMED
           See Also|                            |https://bugs.documentfounda
                   |                            |tion.org/show_bug.cgi?id=11
                   |                            |3099

--- Comment #6 from Julien Nabet <serval2412 at yahoo.fr> ---
Thank you for your feedback.

Even if there are not argument values passed to the functions, your bt helps.

I noticed this function:
    117 sal_Int32 SAL_CALL
    118 XInputStream_impl::readBytes(
    119                  uno::Sequence< sal_Int8 >& aData,
    120                  sal_Int32 nBytesToRead )
    121 {
    122     if( ! m_nIsOpen ) throw io::IOException( THROW_WHERE );
    123 
    124     aData.realloc(nBytesToRead);
    125         //TODO! translate memory exhaustion (if it were detectable...)
into
    126         // io::BufferSizeExceededException
    127 
    128     sal_uInt64 nrc(0);
    129     if(m_aFile.read( aData.getArray(),sal_uInt64(nBytesToRead),nrc )
    130        != osl::FileBase::E_None)
    131         throw io::IOException( THROW_WHERE );
    132 
    133     // Shrink aData in case we read less than nBytesToRead
(XInputStream
    134     // documentation does not tell whether this is required, and I do
not know
    135     // if any code relies on this, so be conservative---SB):
    136     if (sal::static_int_cast<sal_Int32>(nrc) != nBytesToRead)
    137         aData.realloc(sal_Int32(nrc));
    138     return static_cast<sal_Int32>(nrc);
    139 }

If nBytesToRead > max sal_Int32, we may get a negative value for nrc.

Noel/Stephan: considering git history of ucb/source/ucp/file/filinpstr.cxx,
thought you might be interested in this one.

It may be a dup of tdf#113099

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190920/baf2d6ea/attachment.html>

More information about the Libreoffice-bugs mailing list