diff options
| author | Noel Grandin <noel.grandin@collabora.co.uk> | 2022-12-08 14:50:54 +0200 |
|---|---|---|
| committer | Noel Grandin <noel.grandin@collabora.co.uk> | 2022-12-08 18:24:22 +0000 |
| commit | da798460e370a97597ecc9a06634f400c4b2e0cc (patch) | |
| tree | cfdb9ae3b4a1ded1b9c7d67cc96c13c03259d4ae /sw | |
| parent | 243131397a5b626c2d8442dc716193e27b13ef9f (diff) | |
crashtesting ooo84576-1.odt
prevent the OOM by detecting cycles in SwList::SwList and throwing an
exception.
(1) However, that means we need to catch the exception in
XMLTextListBlockContext::XMLTextListBlockContext
and undo some registration, otherwise we will get a use-after-free.
The need to catch it is why I'm using an UNO exception here,
it seemed like a bad idea to throw and then catch and std::foo
exception.
(2) this is still not the end of the story, a further exception
is thrown during SwDoc destruction, for which I don't have a
solution.
Change-Id: I48be3d8acbdc0f9ca948a958f1124b158ba77ac0
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/143820
Tested-by: Jenkins
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/source/core/doc/list.cxx | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sw/source/core/doc/list.cxx b/sw/source/core/doc/list.cxx index aa4c06f473aa..5095d4e6c9a9 100644 --- a/sw/source/core/doc/list.cxx +++ b/sw/source/core/doc/list.cxx @@ -33,8 +33,18 @@ SwList::SwList( OUString sListId, { // create empty list trees for the document ranges const SwNode* pNode = rNodes[SwNodeOffset(0)]; + std::vector<bool> aVisited(static_cast<sal_Int32>(rNodes.Count()), false); do { + SwNodeOffset nIndex = pNode->GetIndex(); + if (aVisited[static_cast<sal_Int32>(nIndex)]) + { + // crashtesting ooo84576-1.odt, which manages to trigger a broken document structure + // in our code. This is just a workaround to prevent an infinite loop leading to OOM. + SAL_WARN("sw.core", "corrupt document structure, bailing out of infinite loop"); + throw css::uno::RuntimeException("corrupt document structure, bailing out of infinite loop"); + } + aVisited[static_cast<sal_Int32>(nIndex)] = true; SwPaM aPam( *pNode, *pNode->EndOfSectionNode() ); maListTrees.emplace_back( @@ -46,7 +56,7 @@ SwList::SwList( OUString sListId, pNode = pNode->EndOfSectionNode(); if (pNode != &rNodes.GetEndOfContent()) { - SwNodeOffset nIndex = pNode->GetIndex(); + nIndex = pNode->GetIndex(); nIndex++; pNode = rNodes[nIndex]; } |