[Libreoffice-commits] core.git: 2 commits - sc/source xmloff/source
Michael Stahl
mstahl at redhat.com
Tue Sep 19 20:21:01 UTC 2017
sc/source/filter/excel/xiescher.cxx | 10 ++++++----
xmloff/source/core/xmlexp.cxx | 2 +-
2 files changed, 7 insertions(+), 5 deletions(-)
New commits:
commit ec100b7066d5a00178deb3a1625da07fd1c3b416
Author: Michael Stahl <mstahl at redhat.com>
Date: Tue Sep 19 22:01:00 2017 +0200
sc: fix infinite loop in XclImpDffConverter::ProcessShGrContainer()
... and also in XclImpDffConverter::ProcessDgContainer()
This was looping in CppunitTest_sc_filters_test, reportedly since
commit 7e8c38b69742ff037a5e239bf0f02665f053ea53.
The problem is that checkSeek() doesn't actually seek until EOF
if the offset is too large.
Change-Id: I16226a88388dcac8069d6a4cad860470540466e3
diff --git a/sc/source/filter/excel/xiescher.cxx b/sc/source/filter/excel/xiescher.cxx
index 17c4f163c886..fd13897d33d1 100644
--- a/sc/source/filter/excel/xiescher.cxx
+++ b/sc/source/filter/excel/xiescher.cxx
@@ -3684,7 +3684,8 @@ OUString XclImpDffConverter::ReadHlinkProperty( SvStream& rDffStrm ) const
void XclImpDffConverter::ProcessDgContainer( SvStream& rDffStrm, const DffRecordHeader& rDgHeader )
{
std::size_t nEndPos = rDgHeader.GetRecEndFilePos();
- while( rDffStrm.Tell() < nEndPos )
+ bool isBreak(false);
+ while (!isBreak && rDffStrm.good() && rDffStrm.Tell() < nEndPos)
{
DffRecordHeader aHeader;
ReadDffRecordHeader( rDffStrm, aHeader );
@@ -3697,7 +3698,7 @@ void XclImpDffConverter::ProcessDgContainer( SvStream& rDffStrm, const DffRecord
ProcessShGrContainer( rDffStrm, aHeader );
break;
default:
- aHeader.SeekToEndOfRecord( rDffStrm );
+ isBreak = !aHeader.SeekToEndOfRecord( rDffStrm );
}
}
// seek to end of drawing page container
@@ -3713,7 +3714,8 @@ void XclImpDffConverter::ProcessDgContainer( SvStream& rDffStrm, const DffRecord
void XclImpDffConverter::ProcessShGrContainer( SvStream& rDffStrm, const DffRecordHeader& rShGrHeader )
{
std::size_t nEndPos = rShGrHeader.GetRecEndFilePos();
- while( rDffStrm.Tell() < nEndPos )
+ bool isBreak(false);
+ while (!isBreak && rDffStrm.good() && rDffStrm.Tell() < nEndPos)
{
DffRecordHeader aHeader;
ReadDffRecordHeader( rDffStrm, aHeader );
@@ -3724,7 +3726,7 @@ void XclImpDffConverter::ProcessShGrContainer( SvStream& rDffStrm, const DffReco
ProcessShContainer( rDffStrm, aHeader );
break;
default:
- aHeader.SeekToEndOfRecord( rDffStrm );
+ isBreak = !aHeader.SeekToEndOfRecord( rDffStrm );
}
}
// seek to end of shape group container
commit ee599ea46365adc37f4d495d9ff9778c25c04c92
Author: Michael Stahl <mstahl at redhat.com>
Date: Tue Sep 19 21:43:23 2017 +0200
xmloff: fix stack-use-after-return in SvXMLExport::exportDoc()
PropertySetInfo(PropertyMapEntry const * pMap) stores the pointers,
and its lifetime is controlled by refcounting, so the lifetime
of aInfoMap can't be automatic.
ERROR: AddressSanitizer: stack-use-after-return on address ...
... is located in stack of thread T46
at offset 224 in frame SvXMLExport::exportDoc(xmloff::token::XMLTokenEnum)
This frame has 39 object(s):
...
[224, 288) 'aInfoMap' <== Memory access at offset 224 is inside this variable
Change-Id: I4eaa9d38bab708b222d999b0982100d7ef97e95c
diff --git a/xmloff/source/core/xmlexp.cxx b/xmloff/source/core/xmlexp.cxx
index 78a798ecd3a7..a805ef7ac5e4 100644
--- a/xmloff/source/core/xmlexp.cxx
+++ b/xmloff/source/core/xmlexp.cxx
@@ -1285,7 +1285,7 @@ ErrCode SvXMLExport::exportDoc( enum ::xmloff::token::XMLTokenEnum eClass )
{
try
{
- ::comphelper::PropertyMapEntry const aInfoMap[] =
+ static ::comphelper::PropertyMapEntry const aInfoMap[] =
{
{ OUString("Class"), 0,
::cppu::UnoType<OUString>::get(),
More information about the Libreoffice-commits
mailing list