[Libreoffice-commits] core.git: stoc/source

Stephan Bergmann sbergman at redhat.com
Sat Sep 30 08:44:40 UTC 2017 

 stoc/source/corereflection/criface.cxx |   21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

New commits:
commit 43b02c4532d88ef24c688ecd32bc8bfd6e1f57ff
Author: Stephan Bergmann <sbergman at redhat.com>
Date:   Fri Sep 29 18:37:15 2017 +0200

    Make sure space handed to C/C++ ABI is padded large enough
    
    PythonTest_pyuno_pytests_testcollections had failed with -fsanitize=address:
    
    > ==6341==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe5cf77048 at pc 0x7f6be12e51ba bp 0x7ffe5cf76810 sp 0x7ffe5cf76808
    > WRITE of size 8 at 0x7ffe5cf77048 thread T0
    >     #0 0x7f6be12e51b9 in x86_64::fill_struct(_typelib_TypeDescriptionReference*, unsigned long const*, double const*, void*) bridges/source/cpp_uno/gcc3_linux_x86-64/abi.cxx
    >     #1 0x7f6be1307f03 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:171:17
    >     #2 0x7f6be130346d in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
    >     #3 0x7f6be1301c56 in bridges::cpp_uno::shared::unoInterfaceProxyDispatch(_uno_Interface*, _typelib_TypeDescription const*, void*, void**, _uno_Any**) bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:420:13
    >     #4 0x7f6be0be09ff in stoc_corefl::IdlInterfaceMethodImpl::invoke(com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any>&) stoc/source/corereflection/criface.cxx:679:9
    >     #5 0x7f6be0be304c in non-virtual thunk to stoc_corefl::IdlInterfaceMethodImpl::invoke(com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any>&) stoc/source/corereflection/criface.cxx
    >     #6 0x7f6be0375ef9 in (anonymous namespace)::IntrospectionAccessStatic_Impl::getPropertyValueByIndex(com::sun::star::uno::Any const&, int) const stoc/source/inspect/introspection.cxx:609:33
    >     #7 0x7f6be03753eb in (anonymous namespace)::IntrospectionAccessStatic_Impl::getPropertyValue(com::sun::star::uno::Any const&, rtl::OUString const&) const stoc/source/inspect/introspection.cxx:519:16
    >     #8 0x7f6be036bd75 in (anonymous namespace)::ImplIntrospectionAccess::getPropertyValue(rtl::OUString const&) stoc/source/inspect/introspection.cxx:1040:26
    >     #9 0x7f6be037102c in non-virtual thunk to (anonymous namespace)::ImplIntrospectionAccess::getPropertyValue(rtl::OUString const&) stoc/source/inspect/introspection.cxx
    >     #10 0x7f6be0f95805 in stoc_inv::Invocation_Impl::getValue(rtl::OUString const&) stoc/source/invocation/invocation.cxx:495:35
    >     #11 0x7f6be0f95fcc in non-virtual thunk to stoc_inv::Invocation_Impl::getValue(rtl::OUString const&) stoc/source/invocation/invocation.cxx
    >     #12 0x7f6be665d69a in pyuno::PyUNO_getattr(_object*, char*) pyuno/source/module/pyuno.cxx:1424:52
    >     #13 0x7f6bf34b1a5f in PyObject_GetAttr workdir/UnpackedTarball/python3/Objects/object.c:894:16
    >     #14 0x7f6bf39f10f9 in PyEval_EvalFrameEx workdir/UnpackedTarball/python3/Python/ceval.c:2793:29
    ...
    
    Change-Id: I7c8aa0f0e153a022c19c981165730725a566a0b2
    Reviewed-on: https://gerrit.libreoffice.org/42946
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/stoc/source/corereflection/criface.cxx b/stoc/source/corereflection/criface.cxx
index 841cb235eb90..9ead12622f54 100644
--- a/stoc/source/corereflection/criface.cxx
+++ b/stoc/source/corereflection/criface.cxx
@@ -18,6 +18,11 @@
  */
 
 #include <sal/config.h>
+
+#include <cassert>
+#include <cstddef>
+#include <limits>
+
 #ifdef SAL_UNX
 #include <sal/alloca.h>
 #endif
@@ -40,6 +45,15 @@ using namespace css::lang;
 using namespace css::reflection;
 using namespace css::uno;
 
+namespace {
+
+std::size_t multipleOf16(std::size_t n) {
+    assert(n <= std::numeric_limits<std::size_t>::max() - 15);
+    return (n + 15) & ~std::size_t(15);
+}
+
+}
+
 namespace stoc_corefl
 {
 
@@ -586,7 +600,12 @@ Any SAL_CALL IdlInterfaceMethodImpl::invoke( const Any & rObj, Sequence< Any > &
         TYPELIB_DANGER_GET(
             &pReturnType, getMethodTypeDescr()->pReturnTypeRef );
 
-        void * pUnoReturn = alloca( pReturnType->nSize );
+        // C/C++ ABIs typically assume that structs are padded at the end, and
+        // that those padding bytes may be written to (e.g., to write into the
+        // end of a "short" struct by writing the full contents of a "long"
+        // register); so create enough space here (assuming that no ABI requires
+        // padding larger than 16 byte boundaries):
+        void * pUnoReturn = alloca( multipleOf16(pReturnType->nSize) );
         void ** ppUnoArgs = static_cast<void **>(alloca( sizeof(void *) * nParams *2 ));
         typelib_TypeDescription ** ppParamTypes = reinterpret_cast<typelib_TypeDescription **>(ppUnoArgs + nParams);

More information about the Libreoffice-commits mailing list