[Libreoffice-commits] core.git: svtools/source
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Tue Jul 24 20:10:26 UTC 2018
svtools/source/svhtml/parhtml.cxx | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit f33ca5e3ba342e8251ab8177105a9b4b231b73e0
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Tue Jul 24 17:36:13 2018 +0100
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Tue Jul 24 21:09:44 2018 +0100
ofz#7621 tight OUString concat loop causes libfuzzer oom
it doesn't get a chance to release memory and falls over with
an oom
Change-Id: I20eb91223de3aa00f3e2f4131ad212f1cfde6ff3
diff --git a/svtools/source/svhtml/parhtml.cxx b/svtools/source/svhtml/parhtml.cxx
index be3167d30053..d887f4084ab8 100644
--- a/svtools/source/svhtml/parhtml.cxx
+++ b/svtools/source/svhtml/parhtml.cxx
@@ -1218,12 +1218,15 @@ HtmlTokenId HTMLParser::GetNextToken_()
bool bDone = false;
// Read until closing %>. If not found restart at first >.
+ sal_Unicode nLastTokenChar = !aToken.isEmpty() ? aToken[aToken.getLength() - 1] : 0;
+ OUStringBuffer aTmpBuffer(aToken);
while( !bDone && !rInput.eof() && IsParserWorking() )
{
- bDone = '>'==nNextCh && aToken.endsWith("%");
+ bDone = '>'==nNextCh && nLastTokenChar == '%';
if( !bDone )
{
- aToken += OUString(&nNextCh,1);
+ aTmpBuffer.appendUtf32(nNextCh);
+ nLastTokenChar = aTmpBuffer[aTmpBuffer.getLength() - 1];
nNextCh = GetNextChar();
}
}
@@ -1237,6 +1240,7 @@ HtmlTokenId HTMLParser::GetNextToken_()
nRet = HtmlTokenId::TEXTTOKEN;
break;
}
+ aToken = aTmpBuffer.makeStringAndClear();
if( IsParserWorking() )
{
sSaveToken = aToken;
More information about the Libreoffice-commits
mailing list