From 061f7ba80efe621503531ca9512b194ad8cefcd3 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Fri, 17 Sep 2021 09:24:22 +0200 Subject: Fix calculation of alloca'ed memory size ...after 16d645e5b8f11b4ddb49a2b58bde388b28960abc "speedup Transliteration_body::transliterateImpl", which caused dynamic-stack-buffer-overflow ( ==4003==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fffe890f7d2 at pc 0x0000004b1c2d bp 0x7fffe890f490 sp 0x7fffe890ec40 > WRITE of size 2 at 0x7fffe890f7d2 thread T0 > #0 0x4b1c2c in __asan_memmove /home/tdf/lode/packages/llvm-llvmorg-9.0.1.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:30 > #1 0x2b8b4222ef65 in char16_t* std::__copy_move::__copy_m(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:368:6 > #2 0x2b8b4222eec0 in char16_t* std::__copy_move_a(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:385:14 > #3 0x2b8b4222d9be in char16_t* std::__copy_move_a2(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:422:18 > #4 0x2b8b4222d2be in char16_t* std::copy(char16_t const*, char16_t const*, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algobase.h:454:15 > #5 0x2b8b4222cf43 in char16_t* std::__copy_n(char16_t const*, signed char, char16_t*, std::random_access_iterator_tag) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algo.h:782:14 > #6 0x2b8b4222b495 in char16_t* std::copy_n(char16_t const*, signed char, char16_t*) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_algo.h:806:14 > #7 0x2b8b42225872 in i18npool::Transliteration_body::transliterateImpl(rtl::OUString const&, int, int, com::sun::star::uno::Sequence*) /i18npool/source/transliteration/transliteration_body.cxx:145:13 > #8 0x2b8b42236f35 in i18npool::transliteration_commonclass::transliterateString2String(rtl::OUString const&, int, int) /i18npool/source/transliteration/transliteration_commonclass.cxx:109:12 > #9 0x2b8b41fbc740 in i18npool::cclass_Unicode::toUpper(rtl::OUString const&, int, int, com::sun::star::lang::Locale const&) /i18npool/source/characterclassification/cclass_unicode.cxx:67:19 > #10 0x2b8b41fbc7b2 in non-virtual thunk to i18npool::cclass_Unicode::toUpper(rtl::OUString const&, int, int, com::sun::star::lang::Locale const&) /i18npool/source/characterclassification/cclass_unicode.cxx > #11 0x2b8b41ff1335 in i18npool::CharacterClassificationImpl::toUpper(rtl::OUString const&, int, int, com::sun::star::lang::Locale const&) /i18npool/source/characterclassification/characterclassificationImpl.cxx:47:63 [...] Change-Id: I5273e234c8921f635e31c414cb0e427ee8b04a95 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122234 Reviewed-by: Noel Grandin Reviewed-by: Stephan Bergmann Tested-by: Jenkins --- i18npool/source/transliteration/transliteration_body.cxx | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'i18npool') diff --git a/i18npool/source/transliteration/transliteration_body.cxx b/i18npool/source/transliteration/transliteration_body.cxx index 3581212af8b3..1f4541082435 100644 --- a/i18npool/source/transliteration/transliteration_body.cxx +++ b/i18npool/source/transliteration/transliteration_body.cxx @@ -104,9 +104,8 @@ Transliteration_body::transliterateImpl( constexpr sal_Int32 nLocalBuf = 2048; sal_Unicode* out; std::unique_ptr pHeapBuf; - size_t nBytes = (nCount + 1) * sizeof(sal_Unicode); - if (nBytes <= nLocalBuf * NMAPPINGMAX) - out = static_cast(alloca(nBytes)); + if (nCount <= nLocalBuf) + out = static_cast(alloca(nCount * NMAPPINGMAX * sizeof(sal_Unicode))); else { pHeapBuf.reset(new sal_Unicode[ nCount * NMAPPINGMAX ]); -- cgit