Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn computation

Stephan Bergmann sbergman at redhat.com
Tue Feb 23 07:34:47 UTC 2021


Ever since 
<https://git.libreoffice.org/core/+/86b192965ee8d625092b723337f6a65bdf34dcb7%5E!/> 
"tdf#107097: sc: Add UItest" added that test, UBSan builds like 
<https://ci.libreoffice.org/job/lo_ubsan/1919/> keep failing 
UITest_chart UITEST_TEST_NAME=tdf107097.tdf107097.test_tdf107097 with

> /chart2/source/tools/XMLRangeHelper.cxx:136:52: runtime error: signed integer overflow: 15 * 308915776 cannot be represented in type 'int'
>     #0 0x2ad74a554918 in (anonymous namespace)::lcl_getSingleCellAddressFromXMLString(rtl::OUString const&, int, int, chart::XMLRangeHelper::Cell&) /chart2/source/tools/XMLRangeHelper.cxx:136:52
>     #1 0x2ad74a553482 in (anonymous namespace)::lcl_getCellAddressFromXMLString(rtl::OUString const&, int, int, chart::XMLRangeHelper::Cell&, rtl::OUString&) /chart2/source/tools/XMLRangeHelper.cxx:217:13
>     #2 0x2ad74a5505da in (anonymous namespace)::lcl_getCellRangeAddressFromXMLString(rtl::OUString const&, int, int, chart::XMLRangeHelper::CellRange&) /chart2/source/tools/XMLRangeHelper.cxx:253:19
>     #3 0x2ad74a54fde1 in chart::XMLRangeHelper::getCellRangeFromXMLString(rtl::OUString const&) /chart2/source/tools/XMLRangeHelper.cxx:328:15
>     #4 0x2ad74a2aed4d in chart::InternalDataProvider::convertRangeFromXML(rtl::OUString const&) /chart2/source/tools/InternalDataProvider.cxx:1227:39
>     #5 0x2ad74a2b0164 in non-virtual thunk to chart::InternalDataProvider::convertRangeFromXML(rtl::OUString const&) /chart2/source/tools/InternalDataProvider.cxx
>     #6 0x2ad6c4784257 in (anonymous namespace)::lcl_ConvertRange(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::chart2::XChartDocument> const&) /xmloff/source/chart/SchXMLPlotAreaContext.cxx:76:32
>     #7 0x2ad6c4779a67 in SchXMLPlotAreaContext::startFastElement(int, com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList> const&) /xmloff/source/chart/SchXMLPlotAreaContext.cxx:233:34
>     #8 0x2ad6c4c6328a in SvXMLImport::startFastElement(int, com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList> const&) /xmloff/source/core/xmlimp.cxx:797:15
>     #9 0x2ad704988b78 in (anonymous namespace)::Entity::startElement((anonymous namespace)::Event const*) /sax/source/fastparser/fastparser.cxx:468:27
>     #10 0x2ad70496f681 in sax_fastparser::FastSaxParserImpl::consume((anonymous namespace)::EventList&) /sax/source/fastparser/fastparser.cxx:1026:25
>     #11 0x2ad70496c65f in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) /sax/source/fastparser/fastparser.cxx:870:22
>     #12 0x2ad7049905d1 in sax_fastparser::FastSaxParser::parseStream(com::sun::star::xml::sax::InputSource const&) /sax/source/fastparser/fastparser.cxx:1482:13
>     #13 0x2ad6c4c52b80 in SvXMLImport::parseStream(com::sun::star::xml::sax::InputSource const&) /xmloff/source/core/xmlimp.cxx:504:15
>     #14 0x2ad749aafe1e in chart::XMLFilter::impl_ImportStream(rtl::OUString const&, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::lang::XMultiComponentFactory> const&, com::sun::star::uno::Reference<com::sun::star::document::XGraphicStorageHandler> const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&) /chart2/source/model/filter/XMLFilter.cxx:473:34
>     #15 0x2ad749aa9f01 in chart::XMLFilter::impl_Import(com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /chart2/source/model/filter/XMLFilter.cxx:375:35
>     #16 0x2ad749aa0988 in chart::XMLFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /chart2/source/model/filter/XMLFilter.cxx:221:13
>     #17 0x2ad749c2c76e in chart::ChartModel::impl_load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&) /chart2/source/model/main/ChartModel_Persistence.cxx:567:18
>     #18 0x2ad749c30eea in chart::ChartModel::loadFromStorage(com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /chart2/source/model/main/ChartModel_Persistence.cxx:759:5
>     #19 0x2ad74244b977 in OCommonEmbeddedObject::LoadDocumentFromStorage_Impl() /embeddedobj/source/commonembedding/persistence.cxx:535:19
>     #20 0x2ad7423d7bde in OCommonEmbeddedObject::SwitchStateTo_Impl(int) /embeddedobj/source/commonembedding/embedobj.cxx:185:49
>     #21 0x2ad7423e32ff in OCommonEmbeddedObject::changeState(int) /embeddedobj/source/commonembedding/embedobj.cxx:453:13
>     #22 0x2ad7424b7057 in OCommonEmbeddedObject::getPreferredVisualRepresentation(long) /embeddedobj/source/commonembedding/visobj.cxx:168:9
>     #23 0x2ad67e08fdb6 in comphelper::EmbeddedObjectContainer::GetGraphicReplacementStream(long, com::sun::star::uno::Reference<com::sun::star::embed::XEmbeddedObject> const&, rtl::OUString*) /comphelper/source/container/embeddedobjectcontainer.cxx:1425:54
>     #24 0x2ad6a447182c in svt::EmbeddedObjectRef::GetGraphicReplacementStream(long, com::sun::star::uno::Reference<com::sun::star::embed::XEmbeddedObject> const&, rtl::OUString*) /svtools/source/misc/embedhlp.cxx:809:12
>     #25 0x2ad6a446c7d4 in svt::EmbeddedObjectRef::GetGraphicStream(bool) const /svtools/source/misc/embedhlp.cxx:616:23
>     #26 0x2ad6a4469e58 in svt::EmbeddedObjectRef::GetReplacement(bool) /svtools/source/misc/embedhlp.cxx:424:46
>     #27 0x2ad6a446d4ea in svt::EmbeddedObjectRef::GetGraphic() const /svtools/source/misc/embedhlp.cxx:453:54
>     #28 0x2ad69d4a9470 in SdrOle2Obj::GetGraphic() const /svx/source/svdraw/svdoole2.cxx:1635:33
>     #29 0x2ad71b222d01 in ScDrawTransferObj::ScDrawTransferObj(std::unique_ptr<SdrModel, std::default_delete<SdrModel> >, ScDocShell*, TransferableObjectDescriptor const&) /sc/source/ui/app/drwtrans.cxx:191:107
>     #30 0x2ad71d7da932 in ScDrawView::DoCopy() /sc/source/ui/view/drawvie4.cxx:364:56
>     #31 0x2ad71c1fb75a in ScDrawShell::ExecDrawFunc(SfxRequest&) /sc/source/ui/drawfunc/drawsh5.cxx:328:20
>     #32 0x2ad71c1b181f in SfxStubScDrawShellExecDrawFunc(SfxShell*, SfxRequest&) /workdir/SdiTarget/sc/sdi/scslots.hxx:2823:1
>     #33 0x2ad68de39d05 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) /include/sfx2/shell.hxx:197:35
>     #34 0x2ad68ddd1214 in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:16
>     #35 0x2ad68dde721f in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9
>     #36 0x2ad68dd5edff in SfxBindings::Execute_Impl(SfxRequest&, SfxSlot const*, SfxShell*) /sfx2/source/control/bindings.cxx:1060:22
>     #37 0x2ad68e24a322 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /sfx2/source/control/unoctitm.cxx:758:53
>     #38 0x2ad68e245261 in SfxOfficeDispatch::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /sfx2/source/control/unoctitm.cxx:229:16
>     #39 0x2ad67e465052 in comphelper::dispatchCommand(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /comphelper/source/misc/dispatchcommand.cxx:61:12
>     #40 0x2ad67e4657c5 in comphelper::dispatchCommand(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /comphelper/source/misc/dispatchcommand.cxx:76:12
>     #41 0x2ad6b39a49a6 in UITest::executeCommand(rtl::OUString const&) /vcl/source/uitest/uitest.cxx:24:12
>     #42 0x2ad6b39b7240 in (anonymous namespace)::UITestUnoObj::executeCommand(rtl::OUString const&) /vcl/source/uitest/uno/uitest_uno.cxx:69:12
>     #43 0x2ad6ee6508db in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) /bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:77:5
>     #44 0x2ad6ee64abf2 in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) /bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
>     #45 0x2ad6ee64773d in unoInterfaceProxyDispatch /bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:413:13
>     #46 0x2ad6f3a7d2ca in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*) const /binaryurp/source/incomingrequest.cxx:235:13
>     #47 0x2ad6f3a76eea in binaryurp::IncomingRequest::execute() const /binaryurp/source/incomingrequest.cxx:78:26
>     #48 0x2ad6f3b53c37 in request /binaryurp/source/reader.cxx:85:9
>     #49 0x2ad67f973ac4 in cppu_threadpool::JobQueue::enter(void const*, bool) /cppu/source/threadpool/jobqueue.cxx:100:17
>     #50 0x2ad67f9978eb in cppu_threadpool::ORequestThread::run() /cppu/source/threadpool/thread.cxx:165:31
>     #51 0x2ad67f9a362f in threadFunc /include/osl/thread.hxx:189:15
>     #52 0x2ad67644edc8 in osl_thread_start_Impl(void*) /sal/osl/unx/thread.cxx:264:9
>     #53 0x2ad6782f2ea4 in start_thread (/lib64/libpthread.so.0+0x7ea4)
>     #54 0x2ad678c2896c in clone (/lib64/libc.so.6+0xfe96c)

because lcl_getSingleCellAddressFromXMLString is called with 
rXMLString="PivotChart", nStartPos=1, nEndPos=9, so calculating nColumn 
in that while loop overflows.

I have no idea whether lcl_getSingleCellAddressFromXMLString is 
legitimately getting called here with those arguments (or if the real 
error is somewhere else), what that nColumn computation actually means, 
nor what's going on in general.  If anybody knowledgeable about that 
code could please have a look.



More information about the LibreOffice mailing list