From de9620dd4539397715dab3102d256f9d634fcb23 Mon Sep 17 00:00:00 2001 From: Vasily Melenchuk Date: Mon, 21 May 2018 10:58:49 +0300 Subject: tdf#97231: potential crash fixed blob2 pointer can be invalidated during marshalString() call, because it also adds new element in data vector and thus later access to blob2 can cause crash. Change-Id: I2de519c363193f34b249e7250a016397b7420882 Reviewed-on: https://gerrit.libreoffice.org/54613 Tested-by: Jenkins Reviewed-by: Thorsten Behrens --- basic/source/runtime/dllmgr-x64.cxx | 2 +- basic/source/runtime/dllmgr-x86.cxx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'basic') diff --git a/basic/source/runtime/dllmgr-x64.cxx b/basic/source/runtime/dllmgr-x64.cxx index 0bafdec1fb32..4450bbfa6029 100644 --- a/basic/source/runtime/dllmgr-x64.cxx +++ b/basic/source/runtime/dllmgr-x64.cxx @@ -319,12 +319,12 @@ ErrCode marshal( break; case SbxSTRING: { - std::vector< char > * blob2 = data.newBlob(); void * p; ErrCode e = marshalString(variable, special, data, &p); if (e != ERRCODE_NONE) { return e; } + std::vector< char >* blob2 = data.newBlob(); add(*blob2, p, 8, 0); add(blob, address(*blob2), 8, offset); break; diff --git a/basic/source/runtime/dllmgr-x86.cxx b/basic/source/runtime/dllmgr-x86.cxx index 576e3da1b736..63fd3bcea160 100644 --- a/basic/source/runtime/dllmgr-x86.cxx +++ b/basic/source/runtime/dllmgr-x86.cxx @@ -334,12 +334,12 @@ ErrCode marshal( break; case SbxSTRING: { - std::vector< char > * blob2 = data.newBlob(); void * p; ErrCode e = marshalString(variable, special, data, &p); if (e != ERRCODE_NONE) { return e; } + std::vector< char > * blob2 = data.newBlob(); add(*blob2, p, 4, 0); add(blob, address(*blob2), 4, offset); break; -- cgit