[Libreoffice-commits] core.git: i18npool/source

Stephan Bergmann (via logerrit) logerrit at kemper.freedesktop.org
Fri Sep 17 09:25:20 UTC 2021 

 i18npool/source/transliteration/transliteration_body.cxx |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

New commits:
commit 061f7ba80efe621503531ca9512b194ad8cefcd3
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Fri Sep 17 09:24:22 2021 +0200
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Fri Sep 17 11:24:46 2021 +0200

    Fix calculation of alloca'ed memory size
    
    ...after 16d645e5b8f11b4ddb49a2b58bde388b28960abc "speedup
    Transliteration_body::transliterateImpl", which caused
    dynamic-stack-buffer-overflow (<https://ci.libreoffice.org/job/lo_ubsan/2137/),
    
    > ==4003==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fffe890f7d2 at pc 0x0000004b1c2d bp 0x7fffe890f490 sp 0x7fffe890ec40
    > WRITE of size 2 at 0x7fffe890f7d2 thread T0
    >     #0 0x4b1c2c in __asan_memmove /home/tdf/lode/packages/llvm-llvmorg-9.0.1.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:30
    >     #1 0x2b8b4222ef65 in char16_t* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<char16_t>(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:368:6
    >     #2 0x2b8b4222eec0 in char16_t* std::__copy_move_a<false, char16_t const*, char16_t*>(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:385:14
    >     #3 0x2b8b4222d9be in char16_t* std::__copy_move_a2<false, char16_t const*, char16_t*>(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:422:18
    >     #4 0x2b8b4222d2be in char16_t* std::copy<char16_t const*, char16_t*>(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:454:15
    >     #5 0x2b8b4222cf43 in char16_t* std::__copy_n<char16_t const*, signed char, char16_t*>(char16_t const*, signed char, char16_t*, std::random_access_iterator_tag) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algo.h:782:14
    >     #6 0x2b8b4222b495 in char16_t* std::copy_n<char16_t const*, signed char, char16_t*>(char16_t const*, signed char, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algo.h:806:14
    >     #7 0x2b8b42225872 in i18npool::Transliteration_body::transliterateImpl(rtl::OUString const&, int, int, com::sun::star::uno::Sequence<int>*) /i18npool/source/transliteration/transliteration_body.cxx:145:13
    >     #8 0x2b8b42236f35 in i18npool::transliteration_commonclass::transliterateString2String(rtl::OUString const&, int, int) /i18npool/source/transliteration/transliteration_commonclass.cxx:109:12
    >     #9 0x2b8b41fbc740 in i18npool::cclass_Unicode::toUpper(rtl::OUString const&, int, int, com::sun::star::lang::Locale const&) /i18npool/source/characterclassification/cclass_unicode.cxx:67:19
    >     #10 0x2b8b41fbc7b2 in non-virtual thunk to i18npool::cclass_Unicode::toUpper(rtl::OUString const&, int, int, com::sun::star::lang::Locale const&) /i18npool/source/characterclassification/cclass_unicode.cxx
    >     #11 0x2b8b41ff1335 in i18npool::CharacterClassificationImpl::toUpper(rtl::OUString const&, int, int, com::sun::star::lang::Locale const&) /i18npool/source/characterclassification/characterclassificationImpl.cxx:47:63
    [...]
    
    Change-Id: I5273e234c8921f635e31c414cb0e427ee8b04a95
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122234
    Reviewed-by: Noel Grandin <noel.grandin at collabora.co.uk>
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
    Tested-by: Jenkins

diff --git a/i18npool/source/transliteration/transliteration_body.cxx b/i18npool/source/transliteration/transliteration_body.cxx
index 3581212af8b3..1f4541082435 100644
--- a/i18npool/source/transliteration/transliteration_body.cxx
+++ b/i18npool/source/transliteration/transliteration_body.cxx
@@ -104,9 +104,8 @@ Transliteration_body::transliterateImpl(
     constexpr sal_Int32 nLocalBuf = 2048;
     sal_Unicode* out;
     std::unique_ptr<sal_Unicode[]> pHeapBuf;
-    size_t nBytes = (nCount + 1) * sizeof(sal_Unicode);
-    if (nBytes <= nLocalBuf * NMAPPINGMAX)
-        out = static_cast<sal_Unicode*>(alloca(nBytes));
+    if (nCount <= nLocalBuf)
+        out = static_cast<sal_Unicode*>(alloca(nCount * NMAPPINGMAX * sizeof(sal_Unicode)));
     else
     {
         pHeapBuf.reset(new sal_Unicode[ nCount * NMAPPINGMAX ]);

More information about the Libreoffice-commits mailing list