Checking string allocations (was Re: String literals, ASCII vs UTF-8)

Lubos Lunak l.lunak at
Wed Feb 29 06:28:38 PST 2012

 First, so that we have some numbers, debug build, but compiled 
with -O2 -g0 :

 4627576 - without any extra checks in OUString
 4625248 - with abort()
 4642216 - with std::bad_alloc

 Yes, adding abort() there somehow makes it a tiny bit smaller, search me why. 
For std::bad_alloc it is 0,3% more, which may not seem much, but on the other 
hand it's just one tiny change in a library that actually does something, so 
it's not that little either.

 But I guess it's not enough for me to insist on the change.

On Wednesday 29 of February 2012, Stephan Bergmann wrote:
> However, there are also situations where bad input (malicious or
> otherwise) would cause an application to request excessive amounts of
> memory to do a single task (e.g., open a document), and at least in
> theory the application should be able to cope with such
> externally-induced OOM conditions, by abandoning the bad operation,
> cleaning up after it, telling the user the operation failed, and
> carrying on.

 The problem with this theory is that it is a theory. In practice the code 
should check the size first, and if it doesn't, then it presumably will not 
clean up properly anyway.

 The other problem is that OUString ctors is just one random place. The 
OUStringBuffer ctor, which is probably a more likely place to first hit the 
problem if the input handling itself is sloppy and lets the problem get past, 
does not bother with any such checks. So what we have now is a half-solution 
that is not likely to work anyway. Either we want this done properly, in 
which case input should be validated. Or we want it with less work but still 
reasonably safe, in which case all the C rtl_ustr_* functions should detect 
this and abort. Either case does not really need it in OUString ctors.

 Lubos Lunak
 l.lunak at

More information about the LibreOffice mailing list