ofz: fix use-after free

https://oss-fuzz-build-logs.storage.googleapis.com/log-380241bb-ed71-4d4a-93d3-00473e186d65.txt

since...

commit 2bccb7e67b637c6312a0df610f870c8621eb296f
Date:   Tue Jun 15 09:02:59 2021 +0200

remove some unnecessary LanguageType copies

reproducible with:

LD_LIBRARY_PATH=`pwd`/instdir/program valgrind instdir/program/fftester ~/demo.html html

Invalid read of size 8
at 0x1CC35A38: rtl::OUString::OUString(rtl::OUString const&) (ustring.hxx:191)
by 0x1CC60F37: com::sun::star::lang::Locale::Locale(com::sun::star::lang::Locale const&) (Locale.hdl:17)
by 0x1CD5AF77: LanguageTag::LanguageTag(LanguageTag const&) (languagetag.hxx:113)
...
by 0x1D195944: SwStyleNameMapper::GetChrFormatUINameArray() (DocumentStylePoolManager.cxx:2683)
Address 0x261e5d38 is 136 bytes inside a block of size 240 free'd
at 0x4843669: operator delete(void*) (vg_replace_malloc.c:802)
by 0x4BE7F8C: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:145)
by 0x4BE7F64: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:492)
by 0x4BE7A43: std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() (allocated_ptr.h:73)
by 0x4BE7D40: std::_Sp_counted_ptr_inplace<SvtSysLocaleOptions_Impl, std::allocator<SvtSysLocaleOptions_Impl>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:538)
by 0x4B0A5D3: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_weak_release() (shared_ptr_base.h:207)
by 0x4B105B0: std::__weak_count<(__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_count<(__gnu_cxx::_Lock_policy)2> const&) (shared_ptr_base.h:808)
by 0x4BE7FF2: _ZNSt10__weak_ptrI24SvtSysLocaleOptions_ImplLN9__gnu_cxx12_Lock_policyE2EEaSIS0_EENSt9enable_ifIXsr20__sp_compatible_withIPT_PS0_EE5valueERS3_E4typeERKSt12__shared_ptrIS6_LS2_2EE (shared_ptr_base.h:1662)
by 0x4BE6EC0: _ZNSt8weak_ptrI24SvtSysLocaleOptions_ImplEaSIS0_EENSt9enable_ifIXsr13is_assignableIRSt10__weak_ptrIS0_LN9__gnu_cxx12_Lock_policyE2EERKSt10shared_ptrIT_EEE5valueERS1_E4typeESD_ (shared_ptr.h:733)
by 0x4BE5A64: SvtSysLocaleOptions::SvtSysLocaleOptions() (syslocaleoptions.cxx:544)
by 0x4C54323: SvtSysLocale_Impl::SvtSysLocale_Impl() (syslocale.cxx:63)

Change-Id: I95dfd56c5d445220918e4bfa9216a72317fd8421
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/117447
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>

2 files changed, 26 insertions, 13 deletions

diff --git a/sw/source/core/doc/DocumentStylePoolManager.cxx b/sw/source/core/doc/DocumentStylePoolManager.cxx
index 4277468289ad..49e399a78a07 100644
--- a/sw/source/core/doc/DocumentStylePoolManager.cxx
+++ b/sw/source/core/doc/DocumentStylePoolManager.cxx
@@ -2582,7 +2582,8 @@ lcl_NewUINameArray(const char** pIds, const size_t nLen, const size_t nSvxIds =
 
 const std::vector<OUString>& SwStyleNameMapper::GetTextUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aTextUINameArray;
 
     auto it = s_aTextUINameArray.find(rCurrentLanguage);
@@ -2595,7 +2596,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetTextUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetListsUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aListsUINameArray;
 
     auto it = s_aListsUINameArray.find(rCurrentLanguage);
@@ -2608,7 +2610,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetListsUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetExtraUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aExtraUINameArray;
 
     auto it = s_aExtraUINameArray.find(rCurrentLanguage);
@@ -2621,7 +2624,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetExtraUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetRegisterUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aRegisterUINameArray;
 
     auto it = s_aRegisterUINameArray.find(rCurrentLanguage);
@@ -2634,7 +2638,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetRegisterUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetDocUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aDocUINameArray;
 
     auto it = s_aDocUINameArray.find(rCurrentLanguage);
@@ -2647,7 +2652,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetDocUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetHTMLUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aHTMLUINameArray;
 
     auto it = s_aHTMLUINameArray.find(rCurrentLanguage);
@@ -2660,7 +2666,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetHTMLUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetFrameFormatUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aFrameFormatUINameArray;
 
     auto it = s_aFrameFormatUINameArray.find(rCurrentLanguage);
@@ -2673,7 +2680,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetFrameFormatUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetChrFormatUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aChrFormatUINameArray;
 
     auto it = s_aChrFormatUINameArray.find(rCurrentLanguage);
@@ -2686,7 +2694,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetChrFormatUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetHTMLChrFormatUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aHTMLChrFormatUINameArray;
 
     auto it = s_aHTMLChrFormatUINameArray.find(rCurrentLanguage);
@@ -2699,7 +2708,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetHTMLChrFormatUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetPageDescUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aPageDescUINameArray;
 
     auto it = s_aPageDescUINameArray.find(rCurrentLanguage);
@@ -2712,7 +2722,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetPageDescUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetNumRuleUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aNumRuleUINameArray;
 
     auto it = s_aNumRuleUINameArray.find(rCurrentLanguage);
@@ -2725,7 +2736,8 @@ const std::vector<OUString>& SwStyleNameMapper::GetNumRuleUINameArray()
 
 const std::vector<OUString>& SwStyleNameMapper::GetTableStyleUINameArray()
 {
-    const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+    SvtSysLocale aSysLocale;
+    const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
     static std::map<LanguageTag, std::vector<OUString>> s_aTableStyleUINameArray;
 
     auto it = s_aTableStyleUINameArray.find(rCurrentLanguage);
diff --git a/sw/source/core/doc/SwStyleNameMapper.cxx b/sw/source/core/doc/SwStyleNameMapper.cxx
index 1a73a0e746de..fcb39150ed23 100644
--- a/sw/source/core/doc/SwStyleNameMapper.cxx
+++ b/sw/source/core/doc/SwStyleNameMapper.cxx
@@ -108,7 +108,8 @@ template <auto initFunc> struct TablePair
             return s_aProgMap;
         }
 
-        const LanguageTag& rCurrentLanguage = SvtSysLocale().GetUILanguageTag();
+        SvtSysLocale aSysLocale;
+        const LanguageTag& rCurrentLanguage = aSysLocale.GetUILanguageTag();
         static std::map<LanguageTag, NameToIdHash> s_aUIMap;
 
         auto it = s_aUIMap.find(rCurrentLanguage);