diff options
author | Stephan Bergmann <sbergman@redhat.com> | 2023-04-11 10:35:36 +0200 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2023-04-11 20:39:03 +0200 |
commit | c7c7f1c39630890f0c6eadbf9cd44b3ba88f9d81 (patch) | |
tree | 2a46db214538fb30750f4207337605c9d4b726dd | |
parent | set Referer on loading IFrames (diff) | |
download | core-c7c7f1c39630890f0c6eadbf9cd44b3ba88f9d81.tar.gz core-c7c7f1c39630890f0c6eadbf9cd44b3ba88f9d81.zip |
Fix heap-buffer-overflow
...during CppunitTest_sc_ucalc, after 40e3e9fd1c501cc1978d4370b6392701ccd42a71
"tdf#113027 - Allow cycling cell reference types including whitespaces",
> ==5140==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000cfba74 at pc 0x7f36cb07ef6e bp 0x7ffd061d34d0 sp 0x7ffd061d34c8
> READ of size 2 at 0x604000cfba74 thread T0
> #0 0x7f36cb07ef6d in (anonymous namespace)::FindEndPosR1C1(char16_t const*, int, int) /sc/source/core/tool/reffind.cxx:91:13
> #1 0x7f36cb07cf0f in (anonymous namespace)::FindEndPos(char16_t const*, int, int, formula::FormulaGrammar::AddressConvention) /sc/source/core/tool/reffind.cxx:126:20
> #2 0x7f36cb07b029 in ScRefFinder::ToggleRel(int, int) /sc/source/core/tool/reffind.cxx:262:28
> #3 0x7f36c7b8482b in testTdf113027::TestBody() /sc/qa/unit/ucalc.cxx:467:13
>
> 0x604000cfba74 is located 0 bytes to the right of 36-byte region [0x604000cfba50,0x604000cfba74)
> allocated by thread T0 here:
> #0 0x4b7c20 in malloc /home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
> #1 0x7f371b927c59 in _rtl_uString* rtl::str::Alloc<_rtl_uString>(int) /sal/rtl/strtmpl.hxx:833:46
> #2 0x7f371b92640f in void rtl::str::newFromStr_WithLength<_rtl_uString, char>(_rtl_uString**, char const*, int, int) /sal/rtl/strtmpl.hxx:947:15
> #3 0x7f371b9797f0 in rtl_uString_newFromLiteral /sal/rtl/ustring.cxx:1252:5
> #4 0x7f36c7dab771 in rtl::OUString::OUString<char const [14]>(char const (&) [14], rtl::libreoffice_internal::ConstCharArrayDetector<char const [14], rtl::libreoffice_internal::Dummy>::Type) /include/rtl/ustring.hxx:365:13
> #5 0x7f36c7b843e8 in testTdf113027::TestBody() /sc/qa/unit/ucalc.cxx:462:31
(<https://ci.libreoffice.org/job/lo_ubsan/2739/>)
Change-Id: Ie8d053cdb56bdf00bf21663b05521eca632ddfbc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150219
Reviewed-by: Andreas Heinisch <andreas.heinisch@yahoo.de>
Tested-by: Jenkins
(cherry picked from commit dc80c92a1e63fd88560fd77261b96f6c5be97273)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150199
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
-rw-r--r-- | sc/source/core/tool/reffind.cxx | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sc/source/core/tool/reffind.cxx b/sc/source/core/tool/reffind.cxx index c2851c7ff247..63c53a4f5e57 100644 --- a/sc/source/core/tool/reffind.cxx +++ b/sc/source/core/tool/reffind.cxx @@ -91,7 +91,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32 nStartPos, sal_Int32 nE if (*p == '\'') { // Skip until the closing quote. - for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd) + for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd) if (*p == '\'') break; if (nNewEnd > nEndPos) @@ -100,7 +100,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32 nStartPos, sal_Int32 nE else if (*p == '[') { // Skip until the closing bracket. - for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd) + for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd) if (*p == ']') break; if (nNewEnd > nEndPos) |