tdf#97231: potential crash fixed

blob2 pointer can be invalidated during marshalString() call,
because it also adds new element in data vector and thus later
access to blob2 can cause crash.

Change-Id: I2de519c363193f34b249e7250a016397b7420882
Reviewed-on: https://gerrit.libreoffice.org/54613
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>

2 files changed, 2 insertions, 2 deletions

diff --git a/basic/source/runtime/dllmgr-x64.cxx b/basic/source/runtime/dllmgr-x64.cxx
index 0bafdec1fb32..4450bbfa6029 100644
--- a/basic/source/runtime/dllmgr-x64.cxx
+++ b/basic/source/runtime/dllmgr-x64.cxx
@@ -319,12 +319,12 @@ ErrCode marshal(
                 break;
             case SbxSTRING:
                 {
-                    std::vector< char > * blob2 = data.newBlob();
                     void * p;
                     ErrCode e = marshalString(variable, special, data, &p);
                     if (e != ERRCODE_NONE) {
                         return e;
                     }
+                    std::vector< char >* blob2 = data.newBlob();
                     add(*blob2, p, 8, 0);
                     add(blob, address(*blob2), 8, offset);
                     break;
diff --git a/basic/source/runtime/dllmgr-x86.cxx b/basic/source/runtime/dllmgr-x86.cxx
index 576e3da1b736..63fd3bcea160 100644
--- a/basic/source/runtime/dllmgr-x86.cxx
+++ b/basic/source/runtime/dllmgr-x86.cxx
@@ -334,12 +334,12 @@ ErrCode marshal(
                 break;
             case SbxSTRING:
                 {
-                    std::vector< char > * blob2 = data.newBlob();
                     void * p;
                     ErrCode e = marshalString(variable, special, data, &p);
                     if (e != ERRCODE_NONE) {
                         return e;
                     }
+                    std::vector< char > * blob2 = data.newBlob();
                     add(*blob2, p, 4, 0);
                     add(blob, address(*blob2), 4, offset);
                     break;