vcl/source/gdi/pdfwriter_impl.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit aad40b222cc646749cf7bb67e8d45a2d77018eb8
Author: Noel Grandin <noelgran...@gmail.com>
AuthorDate: Wed Mar 6 22:30:16 2024 +0200
Commit: Noel Grandin <noel.gran...@collabora.co.uk>
CommitDate: Thu Mar 7 06:51:57 2024 +0100
fix use-after-free in PDFWriterImpl::appendUnicodeTextStringEncrypt
where if the resize triggers a copy, the pCopy pointer is now
pointing to a block of memory that has been freed.
Change-Id: I2ecfe6ad30f85b4c9e8c85f6296ac03ed4f04c8c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164485
Tested-by: Jenkins
Reviewed-by: Noel Grandin <noel.gran...@collabora.co.uk>
diff --git a/vcl/source/gdi/pdfwriter_impl.cxx
b/vcl/source/gdi/pdfwriter_impl.cxx
index 123a5fcbfcd2..bb444b32cf3d 100644
--- a/vcl/source/gdi/pdfwriter_impl.cxx
+++ b/vcl/source/gdi/pdfwriter_impl.cxx
@@ -1526,9 +1526,9 @@ inline void
PDFWriterImpl::appendUnicodeTextStringEncrypt( const OUString& rInSt
sal_Int32 nLen = rInString.getLength();
//prepare a unicode string, encrypt it
enableStringEncryption( nInObjectNumber );
- sal_uInt8 *pCopy = m_vEncryptionBuffer.data();
sal_Int32 nChars = 2 + (nLen * 2);
m_vEncryptionBuffer.resize(nChars);
+ sal_uInt8 *pCopy = m_vEncryptionBuffer.data();
*pCopy++ = 0xFE;
*pCopy++ = 0xFF;
// we need to prepare a byte stream from the unicode string buffer
