Avoid signed-integer-overflow parsing table:cell-range-address="PivotChart"

...as happens during UITest_chart UITEST_TEST_NAME=tdf107097.tdf107097.test_tdf107097 ever since 86b192965ee8d625092b723337f6a65bdf34dcb7 "tdf#107097: sc: Add UItest" added that test (see <https://ci.libreoffice.org/job/lo_ubsan/1919/>), > /chart2/source/tools/XMLRangeHelper.cxx:136:52: runtime error: signed integer overflow: 15 * 308915776 cannot be represented in type 'int' > #0 0x2ad74a554918 in (anonymous namespace)::lcl_getSingleCellAddressFromXMLString(rtl::OUString const&, int, int, chart::XMLRangeHelper::Cell&) /chart2/source/tools/XMLRangeHelper.cxx:136:52 > #1 0x2ad74a553482 in (anonymous namespace)::lcl_getCellAddressFromXMLString(rtl::OUString const&, int, int, chart::XMLRangeHelper::Cell&, rtl::OUString&) /chart2/source/tools/XMLRangeHelper.cxx:217:13 > #2 0x2ad74a5505da in (anonymous namespace)::lcl_getCellRangeAddressFromXMLString(rtl::OUString const&, int, int, chart::XMLRangeHelper::CellRange&) /chart2/source/tools/XMLRangeHelper.cxx:253:19 > #3 0x2ad74a54fde1 in chart::XMLRangeHelper::getCellRangeFromXMLString(rtl::OUString const&) /chart2/source/tools/XMLRangeHelper.cxx:328:15 > #4 0x2ad74a2aed4d in chart::InternalDataProvider::convertRangeFromXML(rtl::OUString const&) /chart2/source/tools/InternalDataProvider.cxx:1227:39 > #5 0x2ad74a2b0164 in non-virtual thunk to chart::InternalDataProvider::convertRangeFromXML(rtl::OUString const&) /chart2/source/tools/InternalDataProvider.cxx > #6 0x2ad6c4784257 in (anonymous namespace)::lcl_ConvertRange(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::chart2::XChartDocument> const&) /xmloff/source/chart/SchXMLPlotAreaContext.cxx:76:32 > #7 0x2ad6c4779a67 in SchXMLPlotAreaContext::startFastElement(int, com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList> const&) /xmloff/source/chart/SchXMLPlotAreaContext.cxx:233:34 > #8 0x2ad6c4c6328a in SvXMLImport::startFastElement(int, com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList> const&) /xmloff/source/core/xmlimp.cxx:797:15 > #9 0x2ad704988b78 in (anonymous namespace)::Entity::startElement((anonymous namespace)::Event const*) /sax/source/fastparser/fastparser.cxx:468:27 > #10 0x2ad70496f681 in sax_fastparser::FastSaxParserImpl::consume((anonymous namespace)::EventList&) /sax/source/fastparser/fastparser.cxx:1026:25 > #11 0x2ad70496c65f in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) /sax/source/fastparser/fastparser.cxx:870:22 > #12 0x2ad7049905d1 in sax_fastparser::FastSaxParser::parseStream(com::sun::star::xml::sax::InputSource const&) /sax/source/fastparser/fastparser.cxx:1482:13 > #13 0x2ad6c4c52b80 in SvXMLImport::parseStream(com::sun::star::xml::sax::InputSource const&) /xmloff/source/core/xmlimp.cxx:504:15 > #14 0x2ad749aafe1e in chart::XMLFilter::impl_ImportStream(rtl::OUString const&, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::lang::XMultiComponentFactory> const&, com::sun::star::uno::Reference<com::sun::star::document::XGraphicStorageHandler> const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&) /chart2/source/model/filter/XMLFilter.cxx:473:34 > #15 0x2ad749aa9f01 in chart::XMLFilter::impl_Import(com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /chart2/source/model/filter/XMLFilter.cxx:375:35 > #16 0x2ad749aa0988 in chart::XMLFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /chart2/source/model/filter/XMLFilter.cxx:221:13 > #17 0x2ad749c2c76e in chart::ChartModel::impl_load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&) /chart2/source/model/main/ChartModel_Persistence.cxx:567:18 > #18 0x2ad749c30eea in chart::ChartModel::loadFromStorage(com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /chart2/source/model/main/ChartModel_Persistence.cxx:759:5 > #19 0x2ad74244b977 in OCommonEmbeddedObject::LoadDocumentFromStorage_Impl() /embeddedobj/source/commonembedding/persistence.cxx:535:19 > #20 0x2ad7423d7bde in OCommonEmbeddedObject::SwitchStateTo_Impl(int) /embeddedobj/source/commonembedding/embedobj.cxx:185:49 > #21 0x2ad7423e32ff in OCommonEmbeddedObject::changeState(int) /embeddedobj/source/commonembedding/embedobj.cxx:453:13 > #22 0x2ad7424b7057 in OCommonEmbeddedObject::getPreferredVisualRepresentation(long) /embeddedobj/source/commonembedding/visobj.cxx:168:9 > #23 0x2ad67e08fdb6 in comphelper::EmbeddedObjectContainer::GetGraphicReplacementStream(long, com::sun::star::uno::Reference<com::sun::star::embed::XEmbeddedObject> const&, rtl::OUString*) /comphelper/source/container/embeddedobjectcontainer.cxx:1425:54 > #24 0x2ad6a447182c in svt::EmbeddedObjectRef::GetGraphicReplacementStream(long, com::sun::star::uno::Reference<com::sun::star::embed::XEmbeddedObject> const&, rtl::OUString*) /svtools/source/misc/embedhlp.cxx:809:12 > #25 0x2ad6a446c7d4 in svt::EmbeddedObjectRef::GetGraphicStream(bool) const /svtools/source/misc/embedhlp.cxx:616:23 > #26 0x2ad6a4469e58 in svt::EmbeddedObjectRef::GetReplacement(bool) /svtools/source/misc/embedhlp.cxx:424:46 > #27 0x2ad6a446d4ea in svt::EmbeddedObjectRef::GetGraphic() const /svtools/source/misc/embedhlp.cxx:453:54 > #28 0x2ad69d4a9470 in SdrOle2Obj::GetGraphic() const /svx/source/svdraw/svdoole2.cxx:1635:33 > #29 0x2ad71b222d01 in ScDrawTransferObj::ScDrawTransferObj(std::unique_ptr<SdrModel, std::default_delete<SdrModel> >, ScDocShell*, TransferableObjectDescriptor const&) /sc/source/ui/app/drwtrans.cxx:191:107 > #30 0x2ad71d7da932 in ScDrawView::DoCopy() /sc/source/ui/view/drawvie4.cxx:364:56 > #31 0x2ad71c1fb75a in ScDrawShell::ExecDrawFunc(SfxRequest&) /sc/source/ui/drawfunc/drawsh5.cxx:328:20 > #32 0x2ad71c1b181f in SfxStubScDrawShellExecDrawFunc(SfxShell*, SfxRequest&) /workdir/SdiTarget/sc/sdi/scslots.hxx:2823:1 > #33 0x2ad68de39d05 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) /include/sfx2/shell.hxx:197:35 > #34 0x2ad68ddd1214 in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:16 > #35 0x2ad68dde721f in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9 > #36 0x2ad68dd5edff in SfxBindings::Execute_Impl(SfxRequest&, SfxSlot const*, SfxShell*) /sfx2/source/control/bindings.cxx:1060:22 > #37 0x2ad68e24a322 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /sfx2/source/control/unoctitm.cxx:758:53 > #38 0x2ad68e245261 in SfxOfficeDispatch::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /sfx2/source/control/unoctitm.cxx:229:16 > #39 0x2ad67e465052 in comphelper::dispatchCommand(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /comphelper/source/misc/dispatchcommand.cxx:61:12 > #40 0x2ad67e4657c5 in comphelper::dispatchCommand(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /comphelper/source/misc/dispatchcommand.cxx:76:12 > #41 0x2ad6b39a49a6 in UITest::executeCommand(rtl::OUString const&) /vcl/source/uitest/uitest.cxx:24:12 > #42 0x2ad6b39b7240 in (anonymous namespace)::UITestUnoObj::executeCommand(rtl::OUString const&) /vcl/source/uitest/uno/uitest_uno.cxx:69:12 > #43 0x2ad6ee6508db in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) /bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:77:5 > #44 0x2ad6ee64abf2 in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) /bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13 > #45 0x2ad6ee64773d in unoInterfaceProxyDispatch /bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:413:13 > #46 0x2ad6f3a7d2ca in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*) const /binaryurp/source/incomingrequest.cxx:235:13 Creating a pivot chart apparently generates XML output containing <chart:plot-area table:cell-range-address="PivotChart" ...> which does not conform to ODF, see the mail thread starting at <https://lists.freedesktop.org/archives/libreoffice/2021-February/086884.html> "Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn computation" for details. And, ignoring the signed-integer-overflow UB for now, InternalDataProvider::convertRangeFromXML would always have returned an empty OUString for an input of aXMLRange="PivotChart": chart::XMLRangeHelper::getCellRangeFromXMLString with rXMLString="PivotChart" calls lcl_getCellAddressFromXMLString with rXMLString="PivotChart", nStartPos=0, nEndPos=9, its leading while-loop mis-computes nDelimiterPos=nEndPos, so calls lcl_getCellAddressFromXMLString with rXMLString="PivotChart", nStartPos=0, nEndPos=9, its leading while-loop mis-computes nDelimiterPos=nEndPos, so it doesn't set rOutTableName, so lcl_getCellAddressFromXMLString returns bResult=false, so chart::XMLRangeHelper::getCellRangeFromXMLString returns an empty CellRange(). So, similar to 9e5314f19c9dcff35b5cee5c5a1b7f744e495b2e "tdf#107097 invoke internal DP and correctly handle 'range' names" added special handling of aXMLRange values starting with "PT@" to InternalDataProvider::convertRangeFromXML, also add explicit special handling for "PivotChart" (instead of relying on the later code returning an empty string, but after invoking UB). Change-Id: I1671f0ab3b3ab00dce8e348aa3b7141ebebaaad5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/112207 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
author: Stephan Bergmann <sbergman@redhat.com> 2021-03-09 15:52:21 +0100
committer: Stephan Bergmann <sbergman@redhat.com> 2021-03-09 20:16:28 +0100
commit: 6d43ba110084605462901bcee786c7ae4c1f3bdf (patch)
tree: 159361625bd1a5e0596a8e101fb93d2a3c98ef09
parent: 8e7dc248f2787df0e658c4ece33220944fca7f16 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/chart2/source/tools/InternalDataProvider.cxx b/chart2/source/tools/InternalDataProvider.cxx
index f1bf987fa2c6..edbef2f39401 100644
--- a/chart2/source/tools/InternalDataProvider.cxx
+++ b/chart2/source/tools/InternalDataProvider.cxx
@@ -1220,6 +1220,13 @@ OUString SAL_CALL InternalDataProvider::convertRangeToXML( const OUString& aRang
 
 OUString SAL_CALL InternalDataProvider::convertRangeFromXML( const OUString& aXMLRange )
 {
+    // Handle non-standards-conforming table:cell-range-address="PivotChart", see
+    // <https://bugs.documentfoundation.org/show_bug.cgi?id=112783> "PIVOT CHARTS: Save produces
+    // invalid file because of invalid cell address":
+    if (aXMLRange == "PivotChart") {
+        return "";
+    }
+
     const OUString aPivotTableID("PT@");
     if (aXMLRange.startsWith(aPivotTableID))
         return aXMLRange.copy(aPivotTableID.getLength());
author	Stephan Bergmann <sbergman@redhat.com>	2021-03-09 15:52:21 +0100
committer	Stephan Bergmann <sbergman@redhat.com>	2021-03-09 20:16:28 +0100
commit	6d43ba110084605462901bcee786c7ae4c1f3bdf (patch)
tree	159361625bd1a5e0596a8e101fb93d2a3c98ef09
parent	8e7dc248f2787df0e658c4ece33220944fca7f16 (diff)