[Libreoffice-commits] online.git: Branch 'libreoffice-6-2' - net/WebSocketHandler.hpp

[Miklos Vajna (via logerrit)]

 net/WebSocketHandler.hpp |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

New commits:
commit 43457a0aaf317c2c2c9594778aef891f58fc5827
Author:     Miklos Vajna <vmik...@collabora.com>
AuthorDate: Mon May 27 09:06:38 2019 +0200
Commit:     Samuel Mehrbrodt <samuel.mehrbr...@cib.de>
CommitDate: Mon Jul 29 08:00:33 2019 +0200

    net: avoid UB in WebSocketHandler::readPayload()
    
    Seen when closing a Writer document.
    
    
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:798:9:
 runtime error: reference binding to null pointer of type 'char'
        #0 0x6ff633 in std::vector<char, std::allocator<char> 
>::operator[](unsigned long) 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:798:2
        #1 0x770d0c in WebSocketHandler::readPayload(unsigned char*, unsigned 
long, unsigned char*, std::vector<char, std::allocator<char> >&) 
/home/vmiklos/lode/dev/online/./net/WebSocketHandler.hpp:611:29
        #2 0x759324 in 
WebSocketHandler::handleTCPStream(std::shared_ptr<StreamSocket> const&) 
/home/vmiklos/lode/dev/online/./net/WebSocketHandler.hpp:251:13
        #3 0x6f820d in 
WebSocketHandler::handleIncomingMessage(SocketDisposition&) 
/home/vmiklos/lode/dev/online/./net/WebSocketHandler.hpp:419:20
        #4 0xb2da64 in ClientSession::handleIncomingMessage(SocketDisposition&) 
/home/vmiklos/lode/dev/online/wsd/ClientSession.cpp:74:14
        #5 0xa70a61 in StreamSocket::handlePoll(SocketDisposition&, 
std::chrono::time_point<std::chrono::_V2::steady_clock, 
std::chrono::duration<long, std::ratio<1l, 1000000000l> > >, int) 
/home/vmiklos/lode/dev/online/./net/Socket.hpp:1037:29
        #6 0x6ec83d in SocketPoll::poll(int) 
/home/vmiklos/lode/dev/online/./net/Socket.hpp:570:34
        #7 0x830019 in DocumentBroker::pollThread() 
/home/vmiklos/lode/dev/online/wsd/DocumentBroker.cpp:286:16
        #8 0x8fdb38 in DocumentBroker::DocumentBrokerPoll::pollingThread() 
/home/vmiklos/lode/dev/online/wsd/DocumentBroker.cpp:165:20
        #9 0xe00e75 in SocketPoll::pollingThreadEntry() 
/home/vmiklos/lode/dev/online/net/Socket.cpp:184:9
        #10 0xe49cfd in void std::__invoke_impl<void, void (SocketPoll::*)(), 
SocketPoll*>(std::__invoke_memfun_deref, void (SocketPoll::*&&)(), 
SocketPoll*&&) 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:73:14
        #11 0xe4980a in std::__invoke_result<void (SocketPoll::*)(), 
SocketPoll*>::type std::__invoke<void (SocketPoll::*)(), SocketPoll*>(void 
(SocketPoll::*&&)(), SocketPoll*&&) 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:95:14
        #12 0xe496bd in decltype(std::__invoke(_S_declval<0ul>(), 
_S_declval<1ul>())) std::thread::_Invoker<std::tuple<void (SocketPoll::*)(), 
SocketPoll*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/thread:234:13
        #13 0xe494c7 in std::thread::_Invoker<std::tuple<void 
(SocketPoll::*)(), SocketPoll*> >::operator()() 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/thread:243:11
        #14 0xe4888a in 
std::thread::_State_impl<std::thread::_Invoker<std::tuple<void 
(SocketPoll::*)(), SocketPoll*> > >::_M_run() 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/thread:186:13
        #15 0x7f2c5805fe2e in execute_native_thread_routine 
/home/vmiklos/lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/src/c++11/../../../../../gcc-7.3.0/libstdc++-v3/src/c++11/thread.cc:83
        #16 0x7f2c57a3c558 in start_thread (/lib64/libpthread.so.0+0x7558)
        #17 0x7f2c5715082e in clone (/lib64/libc.so.6+0xf882e)
    
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/home/vmiklos/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:798:9
 in
    
    Change-Id: Ifaf6b193e9bba480587c2e184df55aa0728bb370
    Reviewed-on: https://gerrit.libreoffice.org/76331
    Reviewed-by: Samuel Mehrbrodt <samuel.mehrbr...@cib.de>
    Tested-by: Samuel Mehrbrodt <samuel.mehrbr...@cib.de>

diff --git a/net/WebSocketHandler.hpp b/net/WebSocketHandler.hpp
index e20ff5d5a..ad1547a8c 100644
--- a/net/WebSocketHandler.hpp
+++ b/net/WebSocketHandler.hpp
@@ -600,9 +600,12 @@ protected:
         {
             size_t end = payload.size();
             payload.resize(end + dataLen);
-            char* wsData = &payload[end];
-            for (size_t i = 0; i < dataLen; ++i)
-                *wsData++ = data[i] ^ mask[i % 4];
+            if (dataLen > 0)
+            {
+                char* wsData = &payload[end];
+                for (size_t i = 0; i < dataLen; ++i)
+                    *wsData++ = data[i] ^ mask[i % 4];
+            }
         }
         else
             payload.insert(payload.end(), data, data + dataLen);
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits