From 6fb5a87e31b7df01f4b212ab979ae57e8d4ab4fb Mon Sep 17 00:00:00 2001
From: Mike Kaganski <mike.kaganski@collabora.com>
Date: Fri, 11 Mar 2022 15:19:41 +0300
Subject: Related: tdf#128610 Avoid use-after-free

Creating SvMemoryStream from string makes it non-owning, i.e. pointing
to the string's memory. So the string must outlive the stream.

Since commit 64bc8b45b5c23efc5fe57585a69aa4263aaf4e83
  Date   Wed Jul 08 12:31:43 2015 +0000
    i#107734 Support for Math Input Panel in Windows 7

Was only working by chance, when destructor didn't clean the memory
(e.g., in optimized release builds) and the released memory hasn't
been reused yet.

Change-Id: I2e0c195de7bd2aff2889a94ef0f2eb084411933f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131373
Tested-by: Mike Kaganski <mike.kaganski@collabora.com>
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
(cherry picked from commit c964700d16d99d1569373a1eb9a1352fb3512915)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131474
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131541
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
 starmath/source/view.cxx | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/starmath/source/view.cxx b/starmath/source/view.cxx
index d369ad97db20..34b5572a5286 100644
--- a/starmath/source/view.cxx
+++ b/starmath/source/view.cxx
@@ -1774,31 +1774,18 @@ void SmViewShell::Execute(SfxRequest& rReq)
                                 SfxFilter::GetFilterByName(MATHML_XML);
                             aClipboardMedium.SetFilter(pMathFilter);
 
-                            std::unique_ptr<SvMemoryStream> pStrm;
                             // The text to be imported might asserts encoding like 'encoding="utf-8"' but FORMAT_STRING is UTF-16.
                             // Force encoding to UTF-16, if encoding exists.
-                            bool bForceUTF16 = false;
                             sal_Int32 nPosL = aString.indexOf("encoding=\"");
-                            sal_Int32 nPosU = -1;
                             if ( nPosL >= 0 && nPosL +10 < aString.getLength() )
                             {
                                 nPosL += 10;
-                                nPosU = aString.indexOf( '"',nPosL);
+                                sal_Int32 nPosU = aString.indexOf( '"',nPosL);
                                 if (nPosU > nPosL)
-                                {
-                                    bForceUTF16 = true;
-                                }
+                                    aString = aString.replaceAt(nPosL, nPosU - nPosL, u"UTF-16");
                             }
-                            if ( bForceUTF16 )
-                            {
-                                OUString aNewString = aString.replaceAt( nPosL,nPosU-nPosL,"UTF-16");
-                                pStrm.reset(new SvMemoryStream( const_cast<sal_Unicode *>(aNewString.getStr()), aNewString.getLength() * sizeof(sal_Unicode), StreamMode::READ));
-                            }
-                            else
-                            {
-                                pStrm.reset(new SvMemoryStream( const_cast<sal_Unicode *>(aString.getStr()), aString.getLength() * sizeof(sal_Unicode), StreamMode::READ));
-                            }
-                            uno::Reference<io::XInputStream> xStrm2( new ::utl::OInputStreamWrapper(*pStrm) );
+                            SvMemoryStream aStrm( const_cast<sal_Unicode *>(aString.getStr()), aString.getLength() * sizeof(sal_Unicode), StreamMode::READ);
+                            uno::Reference<io::XInputStream> xStrm2( new ::utl::OInputStreamWrapper(aStrm) );
                             aClipboardMedium.setStreamToLoadFrom(xStrm2, true /*bIsReadOnly*/);
                             InsertFrom(aClipboardMedium);
                             GetDoc()->UpdateText();
-- 
cgit