fix use-after-free in PDFWriterImpl::appendUnicodeTextStringEncrypt

where if the resize triggers a copy, the pCopy pointer is now pointing to a block of memory that has been freed. Change-Id: I2ecfe6ad30f85b4c9e8c85f6296ac03ed4f04c8c Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164485 Tested-by: Jenkins Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
author: Noel Grandin <noelgrandin@gmail.com> 2024-03-06 22:30:16 +0200
committer: Noel Grandin <noel.grandin@collabora.co.uk> 2024-03-07 06:51:57 +0100
commit: aad40b222cc646749cf7bb67e8d45a2d77018eb8 (patch)
tree: 2b1e601c2060bc6041acbb5c21be461ef8b052e6
parent: b0f8b695ef25dfd24416afe36b26d7d4f41c40a9 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/vcl/source/gdi/pdfwriter_impl.cxx b/vcl/source/gdi/pdfwriter_impl.cxx
index 123a5fcbfcd2..bb444b32cf3d 100644
--- a/vcl/source/gdi/pdfwriter_impl.cxx
+++ b/vcl/source/gdi/pdfwriter_impl.cxx
@@ -1526,9 +1526,9 @@ inline void PDFWriterImpl::appendUnicodeTextStringEncrypt( const OUString& rInSt
         sal_Int32 nLen = rInString.getLength();
         //prepare a unicode string, encrypt it
         enableStringEncryption( nInObjectNumber );
-        sal_uInt8 *pCopy = m_vEncryptionBuffer.data();
         sal_Int32 nChars = 2 + (nLen * 2);
         m_vEncryptionBuffer.resize(nChars);
+        sal_uInt8 *pCopy = m_vEncryptionBuffer.data();
         *pCopy++ = 0xFE;
         *pCopy++ = 0xFF;
         // we need to prepare a byte stream from the unicode string buffer
author	Noel Grandin <noelgrandin@gmail.com>	2024-03-06 22:30:16 +0200
committer	Noel Grandin <noel.grandin@collabora.co.uk>	2024-03-07 06:51:57 +0100
commit	aad40b222cc646749cf7bb67e8d45a2d77018eb8 (patch)
tree	2b1e601c2060bc6041acbb5c21be461ef8b052e6
parent	b0f8b695ef25dfd24416afe36b26d7d4f41c40a9 (diff)