[Libreoffice-commits] core.git: stoc/source

Fri, 18 Mar 2022 07:34:32 -0700 

 stoc/source/typeconv/convert.cxx |   11 +++++++++++
 1 file changed, 11 insertions(+)

New commits:
commit 9074f5602a9b0b51349647f29d8537256217ebe7
Author:     Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Fri Mar 18 14:12:56 2022 +0100
Commit:     Stephan Bergmann <sberg...@redhat.com>
CommitDate: Fri Mar 18 15:33:50 2022 +0100

    tdf#148063: Avoid dereferencing potentially bad user-supplied 
TypeDescription
    
    ...from Basic script
    
    > sub foo
    >   a = Array()
    >   oUnoValue = CreateUnoValue( "[]", a )
    > end sub
    
    at
    
    > Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault.
    > 0x00007fffc413b2db in stoc_tcv::(anonymous 
namespace)::TypeConverter_Impl::convertTo (this=0x3269200, 
rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at 
stoc/source/typeconv/convert.cxx:537
    > 537                   reinterpret_cast<typelib_IndirectTypeDescription 
*>(aDestTD.get())->pType );
    > (gdb) bt
    > #0  0x00007fffc413b2db in stoc_tcv::(anonymous 
namespace)::TypeConverter_Impl::convertTo(com::sun::star::uno::Any const&, 
com::sun::star::uno::Type const&) (this=0x3269200, rVal=uno::Any("[]any": empty 
uno::Sequence), aDestType=invalid uno::Type) at 
stoc/source/typeconv/convert.cxx:537
    > #1  0x00007fffc413d144 in non-virtual thunk to stoc_tcv::(anonymous 
namespace)::TypeConverter_Impl::convertTo(com::sun::star::uno::Any const&, 
com::sun::star::uno::Type const&) () at instdir/program/libstocserviceslo.so
    > #2  0x00007ffff4fe0264 in convertAny(com::sun::star::uno::Any const&, 
com::sun::star::uno::Type const&) (rVal=uno::Any("[]any": empty uno::Sequence), 
aDestType=invalid uno::Type) at basic/source/classes/sbunoobj.cxx:324
    > #3  0x00007ffff4fdfe79 in RTL_Impl_CreateUnoValue(SbxArray&) (rPar=...) 
at basic/source/classes/sbunoobj.cxx:4157
    > #4  0x00007ffff513b1b0 in SbRtl_CreateUnoValue(StarBASIC*, SbxArray&, 
bool) (rPar=...) at basic/source/runtime/methods1.cxx:1403
    > #5  0x00007ffff50ea80e in SbiStdObject::Notify(SfxBroadcaster&, SfxHint 
const&) (this=0x2003400, rBC=..., rHint=...) at 
basic/source/runtime/stdobj.cxx:1059
    > #6  0x00007ffff3decfae in SfxBroadcaster::Broadcast(SfxHint const&) 
(this=0x3329e90, rHint=...) at svl/source/notify/SfxBroadcaster.cxx:39
    > #7  0x00007ffff518e772 in SbxVariable::Broadcast(SfxHintId) 
(this=0x31e8f60, nHintId=SfxHintId::BasicDataWanted) at 
basic/source/sbx/sbxvar.cxx:151
    > #8  0x00007ffff5186d4f in SbxValue::SbxValue(SbxValue const&) 
(this=0x31ff450, vtt=0x7ffff51ae718 <VTT for SbxMethod+16>, r=...) at 
basic/source/sbx/sbxvalue.cxx:66
    > #9  0x00007ffff518d291 in SbxVariable::SbxVariable(SbxVariable const&) 
(this=0x31ff450, vtt=0x7ffff51ae710 <VTT for SbxMethod+8>, r=...) at 
basic/source/sbx/sbxvar.cxx:45
    > #10 0x00007ffff517d44a in SbxMethod::SbxMethod(SbxMethod const&) 
(this=0x31ff450, r=...) at basic/source/sbx/sbxobj.cxx:838
    > #11 0x00007ffff510386b in SbiRuntime::FindElement(SbxObject*, unsigned 
int, unsigned int, ErrCode, bool, bool) (this=0x2d6f400, pObj=0x2003400, 
nOp1=32773, nOp2=9, nNotFound=..., bLocal=false, bStatic=false) at 
basic/source/runtime/runtime.cxx:3709
    > #12 0x00007ffff50f5a91 in SbiRuntime::StepRTL(unsigned int, unsigned int) 
(this=0x2d6f400, nOp1=32773, nOp2=9) at basic/source/runtime/runtime.cxx:4131
    > #13 0x00007ffff50faef8 in SbiRuntime::Step() (this=0x2d6f400) at 
basic/source/runtime/runtime.cxx:830
    [...]
    
    Change-Id: I552f0360aaf3f9aa6a499aa5ea6eca9ae37e4614
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131739
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sberg...@redhat.com>

diff --git a/stoc/source/typeconv/convert.cxx b/stoc/source/typeconv/convert.cxx
index 2f87b4f42500..1b50c94494fb 100644
--- a/stoc/source/typeconv/convert.cxx
+++ b/stoc/source/typeconv/convert.cxx
@@ -527,6 +527,17 @@ Any SAL_CALL TypeConverter_Impl::convertTo( const Any& 
rVal, const Type& aDestTy
 
             TypeDescription aSourceTD( aSourceType );
             TypeDescription aDestTD( aDestType );
+            // For a sequence type notation "[]...", SequenceTypeDescription in
+            // cppuhelper/source/typemanager.cxx resolves the "..." component 
type notation part
+            // only lazily, so it could happen here that bad user input (e.g., 
"[]" or "[]foo" from
+            // a Basic script CreateUnoValue call) leads to a bad but 
as-of-yet undetected
+            // aDestType, so check it here; this is less likely an issue for 
the non-sequence type
+            // classes, whose notation is not resolved lazily based on their 
syntax:
+            if (!aDestTD.is()) {
+                throw css::lang::IllegalArgumentException(
+                    "Bad XTypeConverter::convertTo destination " + 
aDestType.getTypeName(),
+                    static_cast<cppu::OWeakObject *>(this), 1);
+            }
             typelib_TypeDescription * pSourceElementTD = nullptr;
             TYPELIB_DANGER_GET(
                 &pSourceElementTD,

Reply via email to