forcepoint#97 avoid Invalid read of size 2

==143282== Invalid read of size 2
==143282==    at 0x190CDBFC: SfxItemSet::Count() const (itemset.hxx:96)
==143282==    by 0x1910F33E: SfxItemSet::Get(unsigned short, bool) const (itemset.cxx:748)
==143282==    by 0x1F14D76C: ScPatternAttr::GetItem(unsigned short, SfxItemSet const&, SfxItemSet const*) (patattr.cxx:1347)
==143282==    by 0x1F14D7DA: ScPatternAttr::GetItem(unsigned short, SfxItemSet const*) const (patattr.cxx:1352)
==143282==    by 0x202A3E44: ScLineBreakCell const& ScPatternAttr::GetItem<ScLineBreakCell>(TypedWhichId<ScLineBreakCell>, SfxItemSet const*) const (patattr.hxx:83)
==143282==    by 0x2028E8BC: ScOutputData::LayoutStrings(bool, bool, ScAddress const&) (output2.cxx:1677)
==143282==    by 0x2028D4A8: ScOutputData::DrawStrings(bool) (output2.cxx:1473)
==143282==    by 0x202D9879: ScPrintFunc::PrintArea(short, int, short, int, long, long, bool, bool, bool, bool) (printfun.cxx:1675)
==143282==    by 0x202DD459: ScPrintFunc::PrintPage(long, short, int, short, int, bool, ScPreviewLocationData*) (printfun.cxx:2301)
==143282==    by 0x202DF491: ScPrintFunc::DoPrint(MultiSelection const&, long, long, bool, ScPreviewLocationData*) (printfun.cxx:2713)
==143282==    by 0x20031888: ScModelObj::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (docuno.cxx:2259)
==143282==    by 0x30C1A485: PDFExport::ExportSelection(vcl::PDFWriter&, com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, com::sun::star::uno::Any const&, StringRangeEnumerator const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) (pdfexport.cxx:219)
==143282==    by 0x30C1F879: PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdfexport.cxx:987)
==143282==    by 0x30C33BA2: PDFFilter::implExport(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdffilter.cxx:174)
==143282==    by 0x30C33F2A: PDFFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdffilter.cxx:237)
==143282==    by 0x21AC6986: SfxObjectShell::ExportTo(SfxMedium&) (objstor.cxx:2488)
==143282==    by 0x21AC2363: SfxObjectShell::SaveTo_Impl(SfxMedium&, SfxItemSet const*) (objstor.cxx:1553)
==143282==    by 0x21ACE816: SfxObjectShell::PreDoSaveAs_Impl(rtl::OUString const&, rtl::OUString const&, SfxItemSet const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (objstor.cxx:2966)
==143282==    by 0x21ACCA87: SfxObjectShell::CommonSaveAs_Impl(INetURLObject const&, rtl::OUString const&, SfxItemSet&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (objstor.cxx:2756)
==143282==    by 0x21AA8CDB: SfxObjectShell::APISaveAs_Impl(rtl::OUString const&, SfxItemSet&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (objserv.cxx:317)
==143282==    by 0x21B2B4AD: SfxBaseModel::impl_store(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, bool) (sfxbasemodel.cxx:3132)
==143282==    by 0x21B2CB12: SfxBaseModel::storeToURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (sfxbasemodel.cxx:1768)
==143282==    by 0x1C507AFE: ScPDFExportTest::exportToPDF(com::sun::star::uno::Reference<com::sun::star::frame::XModel> const&, ScRange const&) (scpdfexport.cxx:192)
==143282==    by 0x1C511A33: ScPDFExportTest::testForcepoint97() (scpdfexport.cxx:571)
==143282==    by 0x1C52778D: void std::__invoke_impl<void, void (ScPDFExportTest::*&)(), ScPDFExportTest*&>(std::__invoke_memfun_deref, void (ScPDFExportTest::*&)(), ScPDFExportTest*&) (invoke.h:74)
==143282==    by 0x1C5276C1: std::__invoke_result<void (ScPDFExportTest::*&)(), ScPDFExportTest*&>::type std::__invoke<void (ScPDFExportTest::*&)(), ScPDFExportTest*&>(void (ScPDFExportTest::*&)(), ScPDFExportTest*&) (invoke.h:96)
==143282==    by 0x1C527659: void std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (functional:420)
==143282==    by 0x1C5275E2: void std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>::operator()<, void>() (functional:503)
==143282==    by 0x1C52758C: void std::__invoke_impl<void, std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>&>(std::__invoke_other, std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>&) (invoke.h:61)
==143282==    by 0x1C52753C: std::enable_if<is_invocable_r_v<void, std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>&>, void>::type std::__invoke_r<void, std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>&>(std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()>&) (invoke.h:111)
==143282==    by 0x1C52731C: std::_Function_handler<void (), std::_Bind<void (ScPDFExportTest::*(ScPDFExportTest*))()> >::_M_invoke(std::_Any_data const&) (std_function.h:290)
==143282==    by 0x1C527A34: std::function<void ()>::operator()() const (std_function.h:590)
==143282==    by 0x1C527078: CppUnit::TestCaller<ScPDFExportTest>::runTest() (TestCaller.h:175)
==143282==    by 0x49326F2: CppUnit::TestCaseMethodFunctor::operator()() const (TestCase.cpp:32)
==143282==    by 0x15937E3D: (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (vclbootstrapprotector.cxx:46)
==143282==    by 0x4929ED1: CppUnit::ProtectorChain::ProtectFunctor::operator()() const (ProtectorChain.cpp:20)
==143282==    by 0x4B05D6D: (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (unobootstrapprotector.cxx:78)
==143282==    by 0x4929ED1: CppUnit::ProtectorChain::ProtectFunctor::operator()() const (ProtectorChain.cpp:20)
==143282==    by 0x4AF2F2A: (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (unoexceptionprotector.cxx:62)
==143282==    by 0x4929ED1: CppUnit::ProtectorChain::ProtectFunctor::operator()() const (ProtectorChain.cpp:20)
==143282==    by 0x491261E: CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (DefaultProtector.cpp:15)
==143282==    by 0x4929ED1: CppUnit::ProtectorChain::ProtectFunctor::operator()() const (ProtectorChain.cpp:20)
==143282==    by 0x4928690: CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (ProtectorChain.cpp:86)
==143282==    by 0x4946ACD: CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (TestResult.cpp:182)
==143282==    by 0x4932103: CppUnit::TestCase::run(CppUnit::TestResult*) (TestCase.cpp:91)
==143282==    by 0x4932BCF: CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) (TestComposite.cpp:64)
==143282==    by 0x4932A5F: CppUnit::TestComposite::run(CppUnit::TestResult*) (TestComposite.cpp:23)
==143282==    by 0x4932BCF: CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) (TestComposite.cpp:64)
==143282==    by 0x4932A5F: CppUnit::TestComposite::run(CppUnit::TestResult*) (TestComposite.cpp:23)
==143282==    by 0x494FDBF: CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) (TestRunner.cpp:47)
==143282==  Address 0x1d7624b0 is 64 bytes inside a block of size 120 free'd
==143282==    at 0x4847669: operator delete(void*) (vg_replace_malloc.c:923)
==143282==    by 0x1F150EA1: ScPatternAttr::~ScPatternAttr() (patattr.hxx:53)
==143282==    by 0x190D29B2: SfxItemPool::Remove(SfxPoolItem const&) (itempool.cxx:802)
==143282==    by 0x1EA27F8E: ScAttrArray::SetPatternAreaImpl(int, int, ScPatternAttr const*, bool, ScEditDataArray*, bool) (attarray.cxx:574)
==143282==    by 0x1EBF43D5: ScAttrArray::SetPattern(int, ScPatternAttr const*, bool) (attarray.hxx:148)
==143282==    by 0x1EBD9068: ScColumn::ApplyAttr(int, SfxPoolItem const&) (column.cxx:634)
==143282==    by 0x1EC6C1EB: ScColumn::SetNumberFormat(int, unsigned int) (column2.cxx:3094)
==143282==    by 0x1F1CB737: ScTable::SetNumberFormat(short, int, unsigned int) (table2.cxx:2238)
==143282==    by 0x1EE3F135: ScDocument::SetNumberFormat(ScAddress const&, unsigned int) (document.cxx:3717)
==143282==    by 0x1F09CCA5: ScFormulaCell::InterpretTail(ScInterpreterContext&, ScFormulaCell::ScInterpretTailParameter) (formulacell.cxx:2155)
==143282==    by 0x1F099D9F: ScFormulaCell::Interpret(int, int) (formulacell.cxx:1615)
==143282==    by 0x1ECC048D: ScFormulaCell::MaybeInterpret() (formulacell.hxx:465)
==143282==    by 0x1F09F5C8: ScFormulaCell::IsValue() (formulacell.cxx:2760)
==143282==    by 0x1EA82355: (anonymous namespace)::hasNumericImpl(CellType, ScFormulaCell*) (cellvalue.cxx:155)
==143282==    by 0x1EA822FA: ScRefCellValue::hasNumeric() const (cellvalue.cxx:624)
==143282==    by 0x2028E876: ScOutputData::LayoutStrings(bool, bool, ScAddress const&) (output2.cxx:1676)
==143282==    by 0x2028D4A8: ScOutputData::DrawStrings(bool) (output2.cxx:1473)
==143282==    by 0x202D9879: ScPrintFunc::PrintArea(short, int, short, int, long, long, bool, bool, bool, bool) (printfun.cxx:1675)
==143282==    by 0x202DD459: ScPrintFunc::PrintPage(long, short, int, short, int, bool, ScPreviewLocationData*) (printfun.cxx:2301)
==143282==    by 0x202DF491: ScPrintFunc::DoPrint(MultiSelection const&, long, long, bool, ScPreviewLocationData*) (printfun.cxx:2713)
==143282==    by 0x20031888: ScModelObj::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (docuno.cxx:2259)
==143282==    by 0x30C1A485: PDFExport::ExportSelection(vcl::PDFWriter&, com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, com::sun::star::uno::Any const&, StringRangeEnumerator const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) (pdfexport.cxx:219)

Change-Id: Idf19b79f5aef7e07666249f5f9ec510003a3f886
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134362
Tested-by: Jenkins
Reviewed-by: Eike Rathke <erack@redhat.com>

6 files changed, 29 insertions, 1 deletions

diff --git a/sc/inc/document.hxx b/sc/inc/document.hxx
index 029a339f94a7..5e3c3c7a824b 100644
--- a/sc/inc/document.hxx
+++ b/sc/inc/document.hxx
@@ -563,6 +563,8 @@ private:
     bool                mbFinalTrackFormulas    : 1;
     // This indicates if a ScDocShell::DoRecalc() or ScDocShell::DoHardRecalc() is in progress.
     bool                mbDocShellRecalc        : 1;
+    // This indicates if a ScOutputData::LayoutStrings() is in progress.
+    bool                mbLayoutStrings         : 1;
 
     size_t              mnMutationGuardFlags;
 
@@ -2556,6 +2558,9 @@ public:
     bool IsInDocShellRecalc() const   { return mbDocShellRecalc; }
     void SetDocShellRecalc(bool bSet) { mbDocShellRecalc = bSet; }
 
+    bool IsInLayoutStrings() const   { return mbLayoutStrings; }
+    void SetLayoutStrings(bool bSet) { mbLayoutStrings = bSet; }
+
     /**
      * Serializes the specified sheet's geometry data.
      *
diff --git a/sc/qa/extras/scpdfexport.cxx b/sc/qa/extras/scpdfexport.cxx
index 61c9376d5ac2..a0613de74e9a 100644
--- a/sc/qa/extras/scpdfexport.cxx
+++ b/sc/qa/extras/scpdfexport.cxx
@@ -72,6 +72,7 @@ public:
     void testTdf143978();
     void testTdf84012();
     void testTdf78897();
+    void testForcepoint97();
 
     CPPUNIT_TEST_SUITE(ScPDFExportTest);
     CPPUNIT_TEST(testExportRange_Tdf120161);
@@ -81,6 +82,7 @@ public:
     CPPUNIT_TEST(testTdf143978);
     CPPUNIT_TEST(testTdf84012);
     CPPUNIT_TEST(testTdf78897);
+    CPPUNIT_TEST(testForcepoint97);
     CPPUNIT_TEST_SUITE_END();
 };
 
@@ -588,6 +590,18 @@ void ScPDFExportTest::testTdf78897()
     CPPUNIT_ASSERT_EQUAL(OUString(" 11.00 11.00 "), aActualText);
 }
 
+// just needs to not crash on export to pdf
+void ScPDFExportTest::testForcepoint97()
+{
+    mxComponent = loadFromDesktop(m_directories.getURLFromSrc(DATA_DIRECTORY) + "forcepoint97.xlsx",
+                                  "com.sun.star.sheet.SpreadsheetDocument");
+    uno::Reference<frame::XModel> xModel(mxComponent, uno::UNO_QUERY);
+
+    // A1:H81
+    ScRange range1(0, 0, 0, 7, 81, 0);
+    std::shared_ptr<utl::TempFile> pPDFFile = exportToPDF(xModel, range1);
+}
+
 CPPUNIT_TEST_SUITE_REGISTRATION(ScPDFExportTest);
 CPPUNIT_PLUGIN_IMPLEMENT();
 
diff --git a/sc/qa/extras/testdocuments/forcepoint97.xlsx b/sc/qa/extras/testdocuments/forcepoint97.xlsx
new file mode 100644
index 000000000000..152fbbc45a9f
--- /dev/null
+++ b/sc/qa/extras/testdocuments/forcepoint97.xlsx
diff --git a/sc/source/core/data/documen2.cxx b/sc/source/core/data/documen2.cxx
index 9a3a2fb1ce0f..4a5506077ba8 100644
--- a/sc/source/core/data/documen2.cxx
+++ b/sc/source/core/data/documen2.cxx
@@ -180,6 +180,7 @@ ScDocument::ScDocument( ScDocumentMode eMode, SfxObjectShell* pDocShell ) :
         mbTrackFormulasPending(false),
         mbFinalTrackFormulas(false),
         mbDocShellRecalc(false),
+        mbLayoutStrings(false),
         mnMutationGuardFlags(0)
 {
     maPreviewSelection = { *mxSheetLimits };
diff --git a/sc/source/core/data/formulacell.cxx b/sc/source/core/data/formulacell.cxx
index 195fa15286d0..b55efe4078c3 100644
--- a/sc/source/core/data/formulacell.cxx
+++ b/sc/source/core/data/formulacell.cxx
@@ -2149,7 +2149,8 @@ void ScFormulaCell::InterpretTail( ScInterpreterContext& rContext, ScInterpretTa
             // XXX if mbNeedsNumberFormat was set even if the current format
             // was not General then we'd have to obtain the current format here
             // and check at least the types.
-            if (bSetFormat && (bForceNumberFormat || ((nFormatIndex % SV_COUNTRY_LANGUAGE_OFFSET) != 0)))
+            const bool bSetNumberFormat = bSetFormat && (bForceNumberFormat || ((nFormatIndex % SV_COUNTRY_LANGUAGE_OFFSET) != 0));
+            if (bSetNumberFormat && !rDocument.IsInLayoutStrings())
             {
                 // set number format explicitly
                 if (!rDocument.IsThreadedGroupCalcInProgress())
diff --git a/sc/source/ui/view/output2.cxx b/sc/source/ui/view/output2.cxx
index ba4a1b13a795..0e38182a5725 100644
--- a/sc/source/ui/view/output2.cxx
+++ b/sc/source/ui/view/output2.cxx
@@ -74,6 +74,7 @@
 #include <scopetools.hxx>
 
 #include <com/sun/star/i18n/DirectionProperty.hpp>
+#include <comphelper/scopeguard.hxx>
 #include <comphelper/string.hxx>
 
 #include <memory>
@@ -1518,6 +1519,12 @@ void ScOutputData::DrawStrings( bool bPixelToLogic )
 
 tools::Rectangle ScOutputData::LayoutStrings(bool bPixelToLogic, bool bPaint, const ScAddress &rAddress)
 {
+    bool bOrigIsInLayoutStrings = mpDoc->IsInLayoutStrings();
+    mpDoc->SetLayoutStrings(true);
+    comphelper::ScopeGuard g([this, bOrigIsInLayoutStrings] {
+        mpDoc->SetLayoutStrings(bOrigIsInLayoutStrings);
+    });
+
     OSL_ENSURE( mpDev == mpRefDevice ||
                 mpDev->GetMapMode().GetMapUnit() == mpRefDevice->GetMapMode().GetMapUnit(),
                 "LayoutStrings: different MapUnits ?!?!" );