diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2023-08-03 13:21:44 +0200 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2023-08-04 10:46:42 +0200 |
| commit | ed7876f48acb9a7848b77ffeb50dc7f45d6a2c68 (patch) | |
| tree | db93d274311eb82198610302386e80f83dd3f116 /bridges | |
| parent | 1019104d9b2754aa8efaadb4aef046e732189b9b (diff) | |
Fix handling of float vs. double values
...which had been broken ever since f424e55b4e66ffbee5b34f45ef5ea18d77c4d15c
"INTEGRATION: CWS sixtyfour11 (1.7.22); FILE MERGED" had merged the
typelib_TypeClass_FLOAT case into the typelib_TypeClass_DOUBLE case, and which
caused
> ==612573==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fff4e6b0700 at pc 0x7f45a9d77d9e bp 0x7fff4e6af3f0 sp 0x7fff4e6af3e8
> WRITE of size 8 at 0x7fff4e6b0700 thread T0
> #0 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) at bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:155:51 (instdir/program/libgcc3_uno.so +0x118d9d)
> #1 in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13 (instdir/program/libgcc3_uno.so +0x112c1e)
> #2 in unoInterfaceProxyDispatch at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:330:13 (instdir/program/libgcc3_uno.so +0x10e333)
> #3 in stoc_corefl::(anonymous namespace)::IdlAttributeFieldImpl::get(com::sun::star::uno::Any const&) at stoc/source/corereflection/criface.cxx:141:9 (instdir/program/libreflectionlo.so +0x1f89e0)
> #4 in non-virtual thunk to stoc_corefl::(anonymous namespace)::IdlAttributeFieldImpl::get(com::sun::star::uno::Any const&) at stoc/source/corereflection/criface.cxx (instdir/program/libreflectionlo.so +0x1fc5fb)
> #5 in cppu::PropertySetMixinImpl::Impl::getProperty(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, com::sun::star::beans::PropertyState*) const at cppuhelper/source/propertysetmixin.cxx:563:24 (instdir/program/libuno_cppuhelpergcc3.so.3 +0x7d5059)
> #6 in cppu::PropertySetMixinImpl::getPropertyValue(rtl::OUString const&) at cppuhelper/source/propertysetmixin.cxx:994:20 (instdir/program/libuno_cppuhelpergcc3.so.3 +0x7e462f)
> #7 in reportdesign::OFixedText::getPropertyValue(rtl::OUString const&) at reportdesign/source/core/api/FixedText.cxx:143:34 (instdir/program/../program/librptlo.so +0x7452ad)
> #8 in non-virtual thunk to reportdesign::OFixedText::getPropertyValue(rtl::OUString const&) at reportdesign/source/core/api/FixedText.cxx (instdir/program/../program/librptlo.so +0x7452eb)
> #9 in rptui::OPropertyMediator::OPropertyMediator(com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&, std::__debug::map<rtl::OUString, std::pair<rtl::OUString, std::shared_ptr<rptui::AnyConverter>>, std::less<rtl::OUString>, std::allocator<std::pair<rtl::OUString const, std::pair<rtl::OUString, std::shared_ptr<rptui::AnyConverter>>>>>&&, bool) at reportdesign/source/core/sdr/PropertyForward.cxx:68:119 (instdir/program/../program/librptlo.so +0xbbbdb7)
> #10 in rptui::OUnoObject::CreateMediator(bool) at reportdesign/source/core/sdr/RptObject.cxx:878:31 (instdir/program/../program/librptlo.so +0xc16451)
>
> Address 0x7fff4e6b0700 is located in stack of thread T0 at offset 4288 in frame
> #0 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) at bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:50 (instdir/program/libgcc3_uno.so +0x1181d7)
>
> This frame has 3 object(s):
> [32, 104) 'data' (line 53)
> [144, 160) 'longs' (line 162)
> [176, 192) 'doubles' (line 166) <== Memory access at offset 4288 overflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:155:51 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*)
> Shadow bytes around the buggy address:
> 0x7fff4e6b0480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0680: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
> =>0x7fff4e6b0700:[04]cb cb cb cb cb cb cb 00 00 00 00 00 00 00 00
> 0x7fff4e6b0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x7fff4e6b0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==612573==ABORTING
when opening <https://bugs.documentfoundation.org/attachment.cgi?id=174542>
Example2Fields.odb attached to
<https://bugs.documentfoundation.org/show_bug.cgi?id=144072> "LibreofficeBase
crashed when 2 fields selected in report builder from different sections and
width is adjusted 2nd time" and clicking "Edit..." in the context menu of the
"RptTasks" report.
Change-Id: I318765aede68353d475a0d672e0aea36ed12af29
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155286
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 3bcc14b4e2b226f97e937ca7a152218f8276ee39)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155294
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'bridges')
| -rw-r--r-- | bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx b/bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx index 680e8da819f2..75f29d8dd1de 100644 --- a/bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx +++ b/bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx @@ -153,6 +153,8 @@ void CPPU_CURRENT_NAMESPACE::callVirtualMethod( *static_cast<sal_uInt8 *>( pRegisterReturn ) = *reinterpret_cast<sal_uInt8*>( &data.rax ); break; case typelib_TypeClass_FLOAT: + *static_cast<float *>(pRegisterReturn) = *reinterpret_cast<float *>(&data.xmm0); + break; case typelib_TypeClass_DOUBLE: *static_cast<double *>( pRegisterReturn ) = data.xmm0; break; |