From 8f97326bdd3f42fc82aa5e1989fd03b0af1daf64 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Wed, 21 May 2014 18:22:27 +0200
Subject: So ZCodec::ReadAsynchron was wrong in using a persistent mpIStm after
 all

The fun thing is that with the (only) call-site to ReadAsynchron in
PNGReaderImpl::ImplReadIDAT (vcl/source/gdi/pngread.cxx) passing in rIStm
references to stack-allocated SvMemoryStream instances, mpIStm could point to an
old, destroyed instance from a previous call, but which would have been located
at exactly the same stack address as the currently passed in rIStm, so the wrong
mpIStm->Read call would effectively behaved exactly the same as a correct
rIStm.Read call.

This went unnoticed "since the beginning" until AddressSanitizer's
UseAfterReturn check came along...

Change-Id: I7c75ed2d36a4c24c111d88eff647816bd2c5dbca
---
 include/tools/zcodec.hxx       | 1 -
 tools/source/zcodec/zcodec.cxx | 6 ++----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/include/tools/zcodec.hxx b/include/tools/zcodec.hxx
index c7424ab592cb..63a5ec2002e2 100644
--- a/include/tools/zcodec.hxx
+++ b/include/tools/zcodec.hxx
@@ -39,7 +39,6 @@ class TOOLS_DLLPUBLIC ZCodec
     State           meState;
     bool            mbStatus;
     bool            mbFinish;
-    SvStream*       mpIStm;
     sal_uInt8*      mpInBuf;
     sal_uIntPtr     mnInBufSize;
     sal_uIntPtr     mnInToRead;
diff --git a/tools/source/zcodec/zcodec.cxx b/tools/source/zcodec/zcodec.cxx
index 47c97dc2fdf4..2e9ad1ff896a 100644
--- a/tools/source/zcodec/zcodec.cxx
+++ b/tools/source/zcodec/zcodec.cxx
@@ -41,7 +41,6 @@ ZCodec::ZCodec( sal_uIntPtr nInBufSize, sal_uIntPtr nOutBufSize )
     : meState(STATE_INIT)
     , mbStatus(false)
     , mbFinish(false)
-    , mpIStm(NULL)
     , mpInBuf(NULL)
     , mnInBufSize(nInBufSize)
     , mnInToRead(0)
@@ -66,7 +65,7 @@ void ZCodec::BeginCompression( int nCompressLevel, bool updateCrc, bool gzLib )
     assert(meState == STATE_INIT);
     mbStatus = true;
     mbFinish = false;
-    mpIStm = mpOStm = NULL;
+    mpOStm = NULL;
     mnInToRead = 0xffffffff;
     mpInBuf = mpOutBuf = NULL;
     PZSTREAM->total_out = PZSTREAM->total_in = 0;
@@ -249,7 +248,6 @@ long ZCodec::ReadAsynchron( SvStream& rIStm, sal_uInt8* pData, sal_uIntPtr nSize
     if (meState == STATE_INIT)
     {
         InitDecompress(rIStm);
-        mpIStm = &rIStm;
     }
     PZSTREAM->avail_out = nSize;
     PZSTREAM->next_out = pData;
@@ -267,7 +265,7 @@ long ZCodec::ReadAsynchron( SvStream& rIStm, sal_uInt8* pData, sal_uIntPtr nSize
                 break;
             }
 
-            PZSTREAM->avail_in = mpIStm->Read (
+            PZSTREAM->avail_in = rIStm.Read (
                 PZSTREAM->next_in = mpInBuf, nInToRead);
             mnInToRead -= nInToRead;
 
-- 
cgit v1.2.3