tdf#148063: Avoid dereferencing potentially bad user-supplied TypeDescription

...from Basic script > sub foo > a = Array() > oUnoValue = CreateUnoValue( "[]", a ) > end sub at > Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault. > 0x00007fffc413b2db in stoc_tcv::(anonymous namespace)::TypeConverter_Impl::convertTo (this=0x3269200, rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at stoc/source/typeconv/convert.cxx:537 > 537 reinterpret_cast<typelib_IndirectTypeDescription *>(aDestTD.get())->pType ); > (gdb) bt > #0 0x00007fffc413b2db in stoc_tcv::(anonymous namespace)::TypeConverter_Impl::convertTo(com::sun::star::uno::Any const&, com::sun::star::uno::Type const&) (this=0x3269200, rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at stoc/source/typeconv/convert.cxx:537 > #1 0x00007fffc413d144 in non-virtual thunk to stoc_tcv::(anonymous namespace)::TypeConverter_Impl::convertTo(com::sun::star::uno::Any const&, com::sun::star::uno::Type const&) () at instdir/program/libstocserviceslo.so > #2 0x00007ffff4fe0264 in convertAny(com::sun::star::uno::Any const&, com::sun::star::uno::Type const&) (rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at basic/source/classes/sbunoobj.cxx:324 > #3 0x00007ffff4fdfe79 in RTL_Impl_CreateUnoValue(SbxArray&) (rPar=...) at basic/source/classes/sbunoobj.cxx:4157 > #4 0x00007ffff513b1b0 in SbRtl_CreateUnoValue(StarBASIC*, SbxArray&, bool) (rPar=...) at basic/source/runtime/methods1.cxx:1403 > #5 0x00007ffff50ea80e in SbiStdObject::Notify(SfxBroadcaster&, SfxHint const&) (this=0x2003400, rBC=..., rHint=...) at basic/source/runtime/stdobj.cxx:1059 > #6 0x00007ffff3decfae in SfxBroadcaster::Broadcast(SfxHint const&) (this=0x3329e90, rHint=...) at svl/source/notify/SfxBroadcaster.cxx:39 > #7 0x00007ffff518e772 in SbxVariable::Broadcast(SfxHintId) (this=0x31e8f60, nHintId=SfxHintId::BasicDataWanted) at basic/source/sbx/sbxvar.cxx:151 > #8 0x00007ffff5186d4f in SbxValue::SbxValue(SbxValue const&) (this=0x31ff450, vtt=0x7ffff51ae718 <VTT for SbxMethod+16>, r=...) at basic/source/sbx/sbxvalue.cxx:66 > #9 0x00007ffff518d291 in SbxVariable::SbxVariable(SbxVariable const&) (this=0x31ff450, vtt=0x7ffff51ae710 <VTT for SbxMethod+8>, r=...) at basic/source/sbx/sbxvar.cxx:45 > #10 0x00007ffff517d44a in SbxMethod::SbxMethod(SbxMethod const&) (this=0x31ff450, r=...) at basic/source/sbx/sbxobj.cxx:838 > #11 0x00007ffff510386b in SbiRuntime::FindElement(SbxObject*, unsigned int, unsigned int, ErrCode, bool, bool) (this=0x2d6f400, pObj=0x2003400, nOp1=32773, nOp2=9, nNotFound=..., bLocal=false, bStatic=false) at basic/source/runtime/runtime.cxx:3709 > #12 0x00007ffff50f5a91 in SbiRuntime::StepRTL(unsigned int, unsigned int) (this=0x2d6f400, nOp1=32773, nOp2=9) at basic/source/runtime/runtime.cxx:4131 > #13 0x00007ffff50faef8 in SbiRuntime::Step() (this=0x2d6f400) at basic/source/runtime/runtime.cxx:830 [...] Change-Id: I552f0360aaf3f9aa6a499aa5ea6eca9ae37e4614 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131739 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
author: Stephan Bergmann <sbergman@redhat.com> 2022-03-18 14:12:56 +0100
committer: Stephan Bergmann <sbergman@redhat.com> 2022-03-18 15:33:50 +0100
commit: 9074f5602a9b0b51349647f29d8537256217ebe7 (patch)
tree: f7c7709c0e95b6c753265be040568f2dd70b3e2a /stoc
parent: cfa5489982a84f847d86b8bf8ce49b25e033ed48 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/stoc/source/typeconv/convert.cxx b/stoc/source/typeconv/convert.cxx
index 2f87b4f42500..1b50c94494fb 100644
--- a/stoc/source/typeconv/convert.cxx
+++ b/stoc/source/typeconv/convert.cxx
@@ -527,6 +527,17 @@ Any SAL_CALL TypeConverter_Impl::convertTo( const Any& rVal, const Type& aDestTy
 
             TypeDescription aSourceTD( aSourceType );
             TypeDescription aDestTD( aDestType );
+            // For a sequence type notation "[]...", SequenceTypeDescription in
+            // cppuhelper/source/typemanager.cxx resolves the "..." component type notation part
+            // only lazily, so it could happen here that bad user input (e.g., "[]" or "[]foo" from
+            // a Basic script CreateUnoValue call) leads to a bad but as-of-yet undetected
+            // aDestType, so check it here; this is less likely an issue for the non-sequence type
+            // classes, whose notation is not resolved lazily based on their syntax:
+            if (!aDestTD.is()) {
+                throw css::lang::IllegalArgumentException(
+                    "Bad XTypeConverter::convertTo destination " + aDestType.getTypeName(),
+                    static_cast<cppu::OWeakObject *>(this), 1);
+            }
             typelib_TypeDescription * pSourceElementTD = nullptr;
             TYPELIB_DANGER_GET(
                 &pSourceElementTD,
author	Stephan Bergmann <sbergman@redhat.com>	2022-03-18 14:12:56 +0100
committer	Stephan Bergmann <sbergman@redhat.com>	2022-03-18 15:33:50 +0100
commit	9074f5602a9b0b51349647f29d8537256217ebe7 (patch)
tree	f7c7709c0e95b6c753265be040568f2dd70b3e2a /stoc
parent	cfa5489982a84f847d86b8bf8ce49b25e033ed48 (diff)