diff options
| author | Caolán McNamara <caolan.mcnamara@collabora.com> | 2024-05-25 20:15:41 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolan.mcnamara@collabora.com> | 2024-05-26 00:51:48 +0200 |
| commit | d1e065ea7ac98c31997f1af9be82c5da18c38369 (patch) | |
| tree | f0a8d94fb154cd27d706b7ba79793a312331f533 /sc/source | |
| parent | 034b68eb3a015553254c7238b13db8f94514080d (diff) | |
ofz#69215 Heap-use-after-free
maybe since?
commit 397d7af2cbb1f2786ba857d350fb4641525e3bb2
Date: Wed May 22 15:03:40 2024 +0200
tdf#161210 speedup loading large XLS
==344604== Invalid read of size 4
==344604== at 0x1D74DEC5: XclImpXFRange::XclImpXFRange(int, int, XclImpXFIndex const&) (xistyle.hxx:555)
==344604== by 0x1D746AFB: XclImpXFRangeColumn::SetXF(int, XclImpXFIndex const&) (xistyle.cxx:1777)
==344604== by 0x1D747483: XclImpXFRangeBuffer::SetXF(ScAddress const&, unsigned short, XclImpXFRangeBuffer::XclImpXFInsertMode) (xistyle.cxx:1908)
==344604== by 0x1D747629: XclImpXFRangeBuffer::SetXF(ScAddress const&, unsigned short) (xistyle.cxx:1929)
==344604== by 0x1D2C0334: ImportExcel8::Labelsst() (excimp8.cxx:250)
==344604== by 0x1D32AB78: ImportExcel8::Read() (read.cxx:1196)
==344604== by 0x1D29FC2A: ScFormatFilterPluginImpl::ScImportExcel(SfxMedium&, ScDocument*, EXCIMPFORMAT) (excel.cxx:256)
==344604== by 0x1D2A28BC: TestImportXLS (excel.cxx:483)
==344604== by 0x405D76: sal_main_with_args(int, char**) (fftester.cxx:393)
==344604== by 0x40363D: main (fftester.cxx:100)
==344604== Address 0x2ab5fc08 is 8 bytes inside a block of size 12 free'd
==344604== at 0x48463F3: operator delete(void*) (vg_replace_malloc.c:1051)
==344604== by 0x1D761DDC: std::__new_allocator<XclImpXFRange>::deallocate(XclImpXFRange*, unsigned long) (new_allocator.h:172)
==344604== by 0x1D761B27: std::__cxx1998::_Vector_base<XclImpXFRange, std::allocator<XclImpXFRange> >::_M_deallocate(XclImpXFRange*, unsigned long) (allocator.h:210)
==344604== by 0x1D76170E: void std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::_M_realloc_insert<XclImpXFRange>(__gnu_cxx::__normal_iterator<XclImpXFRange*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, XclImpXFRange&&) (vector.tcc:519)
==344604== by 0x1D763576: std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::_M_insert_rval(__gnu_cxx::__normal_iterator<XclImpXFRange const*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, XclImpXFRange&&) (vector.tcc:372)
==344604== by 0x1D763409: std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::_M_emplace_aux(__gnu_cxx::__normal_iterator<XclImpXFRange const*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, XclImpXFRange&&) (stl_vector.h:1887)
==344604== by 0x1D762F29: __gnu_cxx::__normal_iterator<XclImpXFRange*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > > std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::emplace<XclImpXFRange>(__gnu_cxx::__normal_iterator<XclImpXFRange const*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, XclImpXFRange&&) (stl_vector.h:1344)
==344604== by 0x1D762CCB: __gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<XclImpXFRange*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >, std::random_access_iterator_tag> std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::emplace<XclImpXFRange>(__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<XclImpXFRange const*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >, std::random_access_iterator_tag>, XclImpXFRange&&) (vector:545)
==344604== by 0x1D74E0FD: __gnu_cxx::__enable_if<!std::__are_same<XclImpXFRange, bool>::__value, __gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<XclImpXFRange*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >, std::random_access_iterator_tag> >::__type std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::insert<XclImpXFRange>(__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<XclImpXFRange const*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >, std::random_access_iterator_tag>, XclImpXFRange&&) (vector:580)
==344604== by 0x1D74712E: XclImpXFRangeColumn::Insert(XclImpXFRange, unsigned long) (xistyle.cxx:1798)
==344604== by 0x1D746AD8: XclImpXFRangeColumn::SetXF(int, XclImpXFIndex const&) (xistyle.cxx:1776)
==344604== by 0x1D747483: XclImpXFRangeBuffer::SetXF(ScAddress const&, unsigned short, XclImpXFRangeBuffer::XclImpXFInsertMode) (xistyle.cxx:1908)
==344604== Block was alloc'd at
==344604== at 0x4842F95: operator new(unsigned long) (vg_replace_malloc.c:483)
==344604== by 0x1D761C4A: std::__new_allocator<XclImpXFRange>::allocate(unsigned long, void const*) (new_allocator.h:151)
==344604== by 0x1D761A33: std::__cxx1998::_Vector_base<XclImpXFRange, std::allocator<XclImpXFRange> >::_M_allocate(unsigned long) (allocator.h:198)
==344604== by 0x1D7615F1: void std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::_M_realloc_insert<XclImpXFRange>(__gnu_cxx::__normal_iterator<XclImpXFRange*, std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> > >, XclImpXFRange&&) (vector.tcc:459)
==344604== by 0x1D76148D: XclImpXFRange& std::__cxx1998::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::emplace_back<XclImpXFRange>(XclImpXFRange&&) (vector.tcc:123)
==344604== by 0x1D761371: XclImpXFRange& std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::emplace_back<XclImpXFRange>(XclImpXFRange&&) (vector:519)
==344604== by 0x1D74DE8C: __gnu_cxx::__enable_if<!std::__are_same<XclImpXFRange, bool>::__value, void>::__type std::__debug::vector<XclImpXFRange, std::allocator<XclImpXFRange> >::push_back<XclImpXFRange>(XclImpXFRange&&) (vector:508)
==344604== by 0x1D7467AD: XclImpXFRangeColumn::SetDefaultXF(XclImpXFIndex const&, XclImpRoot const&) (xistyle.cxx:1727)
==344604== by 0x1D7478A7: XclImpXFRangeBuffer::SetColumnDefXF(short, unsigned short) (xistyle.cxx:1956)
==344604== by 0x1D2713A5: XclImpColRowSettings::SetDefaultXF(short, short, unsigned short) (colrowst.cxx:175)
==344604== by 0x1D30E12F: ImportExcel::Colinfo() (impop.cxx:682)
==344604== by 0x1D32A34E: ImportExcel8::Read() (read.cxx:1141)
Change-Id: I55cc65d511878e31646d10dc7f367f30bd4454f8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168038
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Diffstat (limited to 'sc/source')
| -rw-r--r-- | sc/source/filter/excel/xistyle.cxx | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sc/source/filter/excel/xistyle.cxx b/sc/source/filter/excel/xistyle.cxx index 00bc34c744bd..8c29ece09885 100644 --- a/sc/source/filter/excel/xistyle.cxx +++ b/sc/source/filter/excel/xistyle.cxx @@ -1772,9 +1772,10 @@ void XclImpXFRangeColumn::SetXF( SCROW nScRow, const XclImpXFIndex& rXFIndex ) else // insert in the middle of the range { pThisRange->mnScRow1 = nScRow + 1; + XclImpXFIndex aXFIndex(pThisRange->maXFIndex); // List::Insert() moves entries towards end of list, so insert twice at nIndex Insert( XclImpXFRange( nScRow, rXFIndex ), nIndex ); - Insert( XclImpXFRange( nFirstScRow, nScRow - 1, pThisRange->maXFIndex ), nIndex ); + Insert( XclImpXFRange( nFirstScRow, nScRow - 1, aXFIndex ), nIndex ); } return; } |