[Libreoffice-commits] online.git: wsd/LOOLWSD.cpp
Tor Lillqvist (via logerrit)
logerrit at kemper.freedesktop.org
Thu Jul 16 20:57:06 UTC 2020
wsd/LOOLWSD.cpp | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
New commits:
commit 03697b3bb524e7517a8f778f951ef65d05805b9f
Author: Tor Lillqvist <tml at collabora.com>
AuthorDate: Thu Jul 16 17:42:09 2020 +0300
Commit: Tor Lillqvist <tml at collabora.com>
CommitDate: Thu Jul 16 22:56:47 2020 +0200
The socket inbuffer is not nul terminated
We can't just call strtoul() to parse the number at the end of the
buffer. The buffer might be followed by other digits in memory. In
that case we would get a completely wrong mobileAppDocId which will
lead to a crash or assertion failure.
Change-Id: I71c96323faa2b069009e5eda7a7153148b78094a
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/98914
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice at gmail.com>
Reviewed-by: Tor Lillqvist <tml at collabora.com>
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 7c353e6b1..b61649970 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -2555,7 +2555,17 @@ private:
// The "app document id", the numeric id of the document, from the appDocIdCounter in CODocument.mm.
char *space = strchr(socket->getInBuffer().data(), ' ');
assert(space != nullptr);
- unsigned appDocId = std::strtoul(space + 1, nullptr, 10);
+
+ // The socket buffer is not nul-terminated so we can't just call strtoull() on the number at
+ // its end, it might be followed in memory by more digits. Is there really no better way to
+ // parse the number at the end of the buffer than to copy the bytes into a nul-terminated
+ // buffer?
+ const size_t appDocIdLen = (socket->getInBuffer().data() + socket->getInBuffer().size()) - (space + 1);
+ char *appDocIdBuffer = (char *)malloc(appDocIdLen + 1);
+ memcpy(appDocIdBuffer, space + 1, appDocIdLen);
+ appDocIdBuffer[appDocIdLen] = '\0';
+ unsigned appDocId = std::strtoul(appDocIdBuffer, nullptr, 10);
+ free(appDocIdBuffer);
handleClientWsUpgrade(
request, std::string(socket->getInBuffer().data(), space - socket->getInBuffer().data()),
More information about the Libreoffice-commits
mailing list