[Libreoffice-commits] core.git: Branch 'private/swe/libreoffice-5-2+backports' - basic/source

[Vasily Melenchuk]

 basic/source/runtime/dllmgr-x64.cxx |    2 +-
 basic/source/runtime/dllmgr-x86.cxx |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

New commits:
commit 4b84229afc16dee4b150950463bff7e6df793ffc
Author: Vasily Melenchuk <Vasily.Melenchuk at cib.de>
Date:   Mon May 21 10:58:49 2018 +0300

    tdf#97231: potential crash fixed
    
    blob2 pointer can be invalidated during marshalString() call,
    because it also adds new element in data vector and thus later
    access to blob2 can cause crash.
    
    Change-Id: I2de519c363193f34b249e7250a016397b7420882
    Reviewed-on: https://gerrit.libreoffice.org/54613
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
    (cherry picked from commit de9620dd4539397715dab3102d256f9d634fcb23)
    Reviewed-on: https://gerrit.libreoffice.org/54637
    Tested-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>

diff --git a/basic/source/runtime/dllmgr-x64.cxx b/basic/source/runtime/dllmgr-x64.cxx
index b78ff5da9681..8f2b0abdef8c 100644
--- a/basic/source/runtime/dllmgr-x64.cxx
+++ b/basic/source/runtime/dllmgr-x64.cxx
@@ -319,12 +319,12 @@ SbError marshal(
                 break;
             case SbxSTRING:
                 {
-                    std::vector< char > * blob2 = data.newBlob();
                     void * p;
                     SbError e = marshalString(variable, special, data, &p);
                     if (e != ERRCODE_NONE) {
                         return e;
                     }
+                    std::vector< char >* blob2 = data.newBlob();
                     add(*blob2, p, 8, 0);
                     add(blob, address(*blob2), 8, offset);
                     break;
diff --git a/basic/source/runtime/dllmgr-x86.cxx b/basic/source/runtime/dllmgr-x86.cxx
index fd41317c6a1f..9a5f4536c7e1 100644
--- a/basic/source/runtime/dllmgr-x86.cxx
+++ b/basic/source/runtime/dllmgr-x86.cxx
@@ -334,12 +334,12 @@ SbError marshal(
                 break;
             case SbxSTRING:
                 {
-                    std::vector< char > * blob2 = data.newBlob();
                     void * p;
                     SbError e = marshalString(variable, special, data, &p);
                     if (e != ERRCODE_NONE) {
                         return e;
                     }
+                    std::vector< char > * blob2 = data.newBlob();
                     add(*blob2, p, 4, 0);
                     add(blob, address(*blob2), 4, offset);
                     break;