diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2019-10-17 14:52:16 +0200 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-01-25 14:41:55 +0100 |
| commit | 08e601eb05b616ef90cfacd8a18cced66927f1a2 (patch) | |
| tree | d5b65dd8c124989084708cdb64b226ebcd0e5656 /sc | |
| parent | d13ff08fd9966bc52da772e7e469f067f73fc9f2 (diff) | |
Don't use uninitialized memory when reading from the stream fails
Flathub arm builds (but not other arches) had often (but not always) failed when
processing sc/qa/unit/data/qpro/pass/ofz14090-1.wb2 in
CppunitTest_sc_filters_test (e.g.,
<https://flathub.org/builds/#/builders/1/builds/724>:
> Test name: ScFiltersTest::testCVEs
> equality assertion failed
> - Expected: 1
> - Actual : 0
> - file:///run/build/libreoffice/sc/qa/unit/data/qpro/pass/ofz14090-1.wb2
) Valgrind revealed that this was due to using unintialized memory when the
various maIn.Read... in QProToSc::Convert failed, starting with the use of
uninitialized nFmla[i] after
maIn.ReadUChar( nFmla[i] );
At least make things deterministic by setting the relevant variables to zero.
(Another approach could be returning early with some ConvErr status.)
Change-Id: I4c06aa8da5f777170cdc7bbe3ca1d61b23d3f326
Reviewed-on: https://gerrit.libreoffice.org/80947
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 2704b9e3783aae9d8372f2e3ad3253a2cb49ae87)
Diffstat (limited to 'sc')
| -rw-r--r-- | sc/source/filter/qpro/qproform.cxx | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/sc/source/filter/qpro/qproform.cxx b/sc/source/filter/qpro/qproform.cxx index 3943cd0c0878..9f804904bf2d 100644 --- a/sc/source/filter/qpro/qproform.cxx +++ b/sc/source/filter/qpro/qproform.cxx @@ -194,15 +194,14 @@ do { \ ConvErr QProToSc::Convert( const ScTokenArray*& pArray ) { - sal_uInt8 nFmla[ nBufSize ], nArg; + sal_uInt8 nFmla[ nBufSize ]; sal_uInt8 nArgArray[ nBufSize ] = {0}; sal_Int8 nCol, nPage; - sal_uInt16 nInt, nIntCount = 0, nStringCount = 0, nFloatCount = 0, nDLLCount = 0, nArgCount = 0; + sal_uInt16 nIntCount = 0, nStringCount = 0, nFloatCount = 0, nDLLCount = 0, nArgCount = 0; sal_uInt16 nIntArray[ nBufSize ] = {0}; OUString sStringArray[ nBufSize ]; - sal_uInt16 nDummy, nDLLId; sal_uInt16 nDLLArray[ nBufSize ] = {0}; - sal_uInt16 nNote, nRef, nRelBits; + sal_uInt16 nNote, nRelBits; TokenId nPush; ScComplexRefData aCRD; ScSingleRefData aSRD; @@ -213,16 +212,19 @@ ConvErr QProToSc::Convert( const ScTokenArray*& pArray ) aCRD.InitFlags(); aSRD.InitFlags(); + sal_uInt16 nRef = 0; maIn.ReadUInt16( nRef ); if( nRef < nBufSize ) { for( sal_uInt16 i=0; i < nRef; i++) { + nFmla[i] = 0; maIn.ReadUChar( nFmla[i] ); if( nFmla[ i ] == 0x05 ) { + sal_uInt16 nInt = 0; maIn.ReadUInt16( nInt ); nIntArray[ nIntCount ] = nInt; SAFEDEC_OR_RET(nRef, 2, ConvErr::Count); @@ -231,7 +233,7 @@ ConvErr QProToSc::Convert( const ScTokenArray*& pArray ) if( nFmla[ i ] == 0x00 ) { - double nFloat; + double nFloat = 0; maIn.ReadDouble( nFloat ); nFloatArray[ nFloatCount ] = nFloat; SAFEDEC_OR_RET(nRef, 8, ConvErr::Count); @@ -240,6 +242,8 @@ ConvErr QProToSc::Convert( const ScTokenArray*& pArray ) if( nFmla[ i ] == 0x1a ) { + sal_uInt8 nArg = 0; + sal_uInt16 nDummy, nDLLId = 0; maIn.ReadUChar( nArg ).ReadUInt16( nDummy ).ReadUInt16( nDLLId ); nArgArray[ nArgCount ] = nArg; nDLLArray[ nDLLCount ] = nDLLId; |