diff options
author | Miklos Vajna <vmiklos@collabora.com> | 2022-01-10 13:38:46 +0100 |
---|---|---|
committer | Xisco Fauli <xiscofauli@libreoffice.org> | 2022-01-11 10:09:42 +0100 |
commit | e1449eaf3b2b0bf4ebed44bbcf54e5e01d356465 (patch) | |
tree | 7bb54c2f9a93c9911c6f7f3c5aa968b06c422c6b /extensions | |
parent | ofz#43458 avoid OOM (diff) | |
download | core-e1449eaf3b2b0bf4ebed44bbcf54e5e01d356465.tar.gz core-e1449eaf3b2b0bf4ebed44bbcf54e5e01d356465.zip |
editeng: avoid writing past the end of of pLine->GetCharPosArray()
Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault.
0x00007ffff6df4951 in ?? () from /usr/lib64/libstdc++.so.6
(gdb) bt 10
#0 0x00007ffff6df4951 in () at /usr/lib64/libstdc++.so.6
#1 0x00007ffff6df5792 in __gnu_debug::_Error_formatter::_M_error() const () at /usr/lib64/libstdc++.so.6
#2 0x00007ffff47384bf in std::__debug::vector<int, std::allocator<int> >::operator[](unsigned long) (this=0x6b3dca0, __n=7) at /usr/include/c++/7/debug/vector:417
#3 0x00007ffff47b5440 in ImpEditEngine::ImpBreakLine(ParaPortion*, EditLine*, TextPortion const*, int, long, bool) (this=
0x1ce0040, pParaPortion=0x206a010, pLine=0x6b3dca0, pPortion=0x6b3e480, nPortionStart=0, nRemainingWidth=5093, bCanHyphenate=false)
at editeng/source/editeng/impedit3.cxx:2041
#4 0x00007ffff47b1fb6 in ImpEditEngine::CreateLines(int, unsigned int) (this=0x1ce0040, nPara=0, nStartPosY=0)
at editeng/source/editeng/impedit3.cxx:1352
#5 0x00007ffff47ad0c2 in ImpEditEngine::FormatDoc() (this=0x1ce0040) at editeng/source/editeng/impedit3.cxx:387
#6 0x00007ffff47bf516 in ImpEditEngine::FormatAndLayout(EditView*, bool) (this=0x1ce0040, pCurView=0x0, bCalledFromUndo=false)
at editeng/source/editeng/impedit3.cxx:4190
#7 0x00007ffff47be333 in ImpEditEngine::SetUpdateLayout(bool, EditView*, bool) (this=0x1ce0040, bUp=true, pCurView=0x0, bForceUpdate=false)
at editeng/source/editeng/impedit3.cxx:3927
#8 0x00007ffff46f059e in EditEngine::SetUpdateLayout(bool, bool) (this=0x1ce2b20, bUpdate=true, bRestoring=false)
at editeng/source/editeng/editeng.cxx:1472
#9 0x00007ffff48ce5e3 in Outliner::SetText(OutlinerParaObject const&) (this=0x1ce0cc0, rPObj=...) at editeng/source/outliner/outliner.cxx:586
(More stack frames follow...)
(gdb) frame 3
#3 0x00007ffff47b5440 in ImpEditEngine::ImpBreakLine (this=0x1ce0040, pParaPortion=0x206a010, pLine=0x6b3dca0, pPortion=0x6b3e480, nPortionStart=0, nRemainingWidth=5093,
bCanHyphenate=false) at editeng/source/editeng/impedit3.cxx:2041
2041 pLine->GetCharPosArray()[ nPosInArray ] = rTP.GetSize().Width();
(gdb) print pLine->GetCharPosArray()
[Thread 0x7fffd2010700 (LWP 5008) exited]
$1 = std::__debug::vector of length 7, capacity 7 = {707, 1414, 2121, 2828, 3535, 4242, 4949}
(gdb) print nPosInArray
$2 = 7
Change-Id: I3a8121c0c0a3b0949e91eb53c0468f7e629b146f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128223
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins
(cherry picked from commit 56ded398c9c72810f20b9da0aa98097739423180)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128231
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
Diffstat (limited to 'extensions')
0 files changed, 0 insertions, 0 deletions