Crash with gnome#627420-1.ods in string related function

Tue Jan 8 08:43:23 PST 2013

On 01/08/2013 02:19 PM, julien2412 wrote:
> Reading this thread, I took a look at sal/rtl/source/strtmpl.cxx
>      969 static IMPL_RTL_STRINGDATA* IMPL_RTL_STRINGNAME( ImplAlloc )(
> sal_Int32 nLen )
>      970 {
>      971     IMPL_RTL_STRINGDATA * pData
>      972         = (sal::static_int_cast< sal_uInt32 >(nLen)
>      973            <= ((SAL_MAX_UINT32 - sizeof (IMPL_RTL_STRINGDATA))
>      974                / sizeof (IMPL_RTL_STRCODE)))
>      975         ? (IMPL_RTL_STRINGDATA *) rtl_allocateMemory(
>      976             sizeof (IMPL_RTL_STRINGDATA) + nLen * sizeof
> (IMPL_RTL_STRCODE))
>      977         : NULL;
>      978     if (pData != NULL) {
>      979         pData->refCount = 1;
>      980         pData->length = nLen;
>      981         pData->buffer[nLen] = 0;
>      982     }
>      983     return pData;
>      984 }
>
> Since we cast "nLen" parameter in "sal_uInt32", could it help to add an
> assert about nLen should be >= 0 ?

Such an assert would surely not hurt, but I suspect that there are call 
sites that do not catch overflow of computed length values (where such 
overflow can lead to wrong values that are negative as well as 
non-negative), so such an assert alone would not help catch all the 
problematic call sites.

Stephan