diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2022-03-18 14:12:56 +0100 |
|---|---|---|
| committer | Stephan Bergmann <sbergman@redhat.com> | 2022-03-18 15:33:50 +0100 |
| commit | 9074f5602a9b0b51349647f29d8537256217ebe7 (patch) | |
| tree | f7c7709c0e95b6c753265be040568f2dd70b3e2a /stoc | |
| parent | cfa5489982a84f847d86b8bf8ce49b25e033ed48 (diff) | |
tdf#148063: Avoid dereferencing potentially bad user-supplied TypeDescription
...from Basic script
> sub foo
> a = Array()
> oUnoValue = CreateUnoValue( "[]", a )
> end sub
at
> Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault.
> 0x00007fffc413b2db in stoc_tcv::(anonymous namespace)::TypeConverter_Impl::convertTo (this=0x3269200, rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at stoc/source/typeconv/convert.cxx:537
> 537 reinterpret_cast<typelib_IndirectTypeDescription *>(aDestTD.get())->pType );
> (gdb) bt
> #0 0x00007fffc413b2db in stoc_tcv::(anonymous namespace)::TypeConverter_Impl::convertTo(com::sun::star::uno::Any const&, com::sun::star::uno::Type const&) (this=0x3269200, rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at stoc/source/typeconv/convert.cxx:537
> #1 0x00007fffc413d144 in non-virtual thunk to stoc_tcv::(anonymous namespace)::TypeConverter_Impl::convertTo(com::sun::star::uno::Any const&, com::sun::star::uno::Type const&) () at instdir/program/libstocserviceslo.so
> #2 0x00007ffff4fe0264 in convertAny(com::sun::star::uno::Any const&, com::sun::star::uno::Type const&) (rVal=uno::Any("[]any": empty uno::Sequence), aDestType=invalid uno::Type) at basic/source/classes/sbunoobj.cxx:324
> #3 0x00007ffff4fdfe79 in RTL_Impl_CreateUnoValue(SbxArray&) (rPar=...) at basic/source/classes/sbunoobj.cxx:4157
> #4 0x00007ffff513b1b0 in SbRtl_CreateUnoValue(StarBASIC*, SbxArray&, bool) (rPar=...) at basic/source/runtime/methods1.cxx:1403
> #5 0x00007ffff50ea80e in SbiStdObject::Notify(SfxBroadcaster&, SfxHint const&) (this=0x2003400, rBC=..., rHint=...) at basic/source/runtime/stdobj.cxx:1059
> #6 0x00007ffff3decfae in SfxBroadcaster::Broadcast(SfxHint const&) (this=0x3329e90, rHint=...) at svl/source/notify/SfxBroadcaster.cxx:39
> #7 0x00007ffff518e772 in SbxVariable::Broadcast(SfxHintId) (this=0x31e8f60, nHintId=SfxHintId::BasicDataWanted) at basic/source/sbx/sbxvar.cxx:151
> #8 0x00007ffff5186d4f in SbxValue::SbxValue(SbxValue const&) (this=0x31ff450, vtt=0x7ffff51ae718 <VTT for SbxMethod+16>, r=...) at basic/source/sbx/sbxvalue.cxx:66
> #9 0x00007ffff518d291 in SbxVariable::SbxVariable(SbxVariable const&) (this=0x31ff450, vtt=0x7ffff51ae710 <VTT for SbxMethod+8>, r=...) at basic/source/sbx/sbxvar.cxx:45
> #10 0x00007ffff517d44a in SbxMethod::SbxMethod(SbxMethod const&) (this=0x31ff450, r=...) at basic/source/sbx/sbxobj.cxx:838
> #11 0x00007ffff510386b in SbiRuntime::FindElement(SbxObject*, unsigned int, unsigned int, ErrCode, bool, bool) (this=0x2d6f400, pObj=0x2003400, nOp1=32773, nOp2=9, nNotFound=..., bLocal=false, bStatic=false) at basic/source/runtime/runtime.cxx:3709
> #12 0x00007ffff50f5a91 in SbiRuntime::StepRTL(unsigned int, unsigned int) (this=0x2d6f400, nOp1=32773, nOp2=9) at basic/source/runtime/runtime.cxx:4131
> #13 0x00007ffff50faef8 in SbiRuntime::Step() (this=0x2d6f400) at basic/source/runtime/runtime.cxx:830
[...]
Change-Id: I552f0360aaf3f9aa6a499aa5ea6eca9ae37e4614
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131739
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Diffstat (limited to 'stoc')
| -rw-r--r-- | stoc/source/typeconv/convert.cxx | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/stoc/source/typeconv/convert.cxx b/stoc/source/typeconv/convert.cxx index 2f87b4f42500..1b50c94494fb 100644 --- a/stoc/source/typeconv/convert.cxx +++ b/stoc/source/typeconv/convert.cxx @@ -527,6 +527,17 @@ Any SAL_CALL TypeConverter_Impl::convertTo( const Any& rVal, const Type& aDestTy TypeDescription aSourceTD( aSourceType ); TypeDescription aDestTD( aDestType ); + // For a sequence type notation "[]...", SequenceTypeDescription in + // cppuhelper/source/typemanager.cxx resolves the "..." component type notation part + // only lazily, so it could happen here that bad user input (e.g., "[]" or "[]foo" from + // a Basic script CreateUnoValue call) leads to a bad but as-of-yet undetected + // aDestType, so check it here; this is less likely an issue for the non-sequence type + // classes, whose notation is not resolved lazily based on their syntax: + if (!aDestTD.is()) { + throw css::lang::IllegalArgumentException( + "Bad XTypeConverter::convertTo destination " + aDestType.getTypeName(), + static_cast<cppu::OWeakObject *>(this), 1); + } typelib_TypeDescription * pSourceElementTD = nullptr; TYPELIB_DANGER_GET( &pSourceElementTD, |