[Libreoffice-bugs] [Bug 127648] LO on Linux crashes when accessing opend/locked File on SAMBA network share

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Mon Sep 23 09:54:28 UTC 2019 

https://bugs.documentfoundation.org/show_bug.cgi?id=127648

--- Comment #8 from Stephan Bergmann <sbergman at redhat.com> ---
(In reply to Julien Nabet from comment #6)
> I noticed this function:

(in ucb/source/ucp/file/filinpstr.cxx)

>     117 sal_Int32 SAL_CALL
>     118 XInputStream_impl::readBytes(
>     119                  uno::Sequence< sal_Int8 >& aData,
>     120                  sal_Int32 nBytesToRead )
>     121 {
>     122     if( ! m_nIsOpen ) throw io::IOException( THROW_WHERE );
>     123 
>     124     aData.realloc(nBytesToRead);
>     125         //TODO! translate memory exhaustion (if it were
> detectable...) into
>     126         // io::BufferSizeExceededException
>     127 
>     128     sal_uInt64 nrc(0);
>     129     if(m_aFile.read( aData.getArray(),sal_uInt64(nBytesToRead),nrc )

The data provided so far in this issue seems to imply that m_aFile.read
unexpectedly returned nrc > nBytesToRead (and large enough to overflow to a
negative value with the below cast to sal_Int32). 
(XInputStream_impl::readBytes being called with a negative nBytesToRead, which
could presumably also lead to trouble, is ruled out by the fact that the above
aData.realloc(nBytesToRead) didn't fire the "### new size must be at least 0!"
assert, which only the below aData.realloc(sal_Int32(nrc)); fires.)

>     130        != osl::FileBase::E_None)
>     131         throw io::IOException( THROW_WHERE );
>     132 
>     133     // Shrink aData in case we read less than nBytesToRead
> (XInputStream
>     134     // documentation does not tell whether this is required, and I
> do not know
>     135     // if any code relies on this, so be conservative---SB):
>     136     if (sal::static_int_cast<sal_Int32>(nrc) != nBytesToRead)
>     137         aData.realloc(sal_Int32(nrc));
>     138     return static_cast<sal_Int32>(nrc);
>     139 }
> 
> If nBytesToRead > max sal_Int32, we may get a negative value for nrc.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190923/612534e4/attachment.html>

More information about the Libreoffice-bugs mailing list