sc/source/core/tool/reffind.cxx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
New commits: commit c7c7f1c39630890f0c6eadbf9cd44b3ba88f9d81 Author: Stephan Bergmann <sberg...@redhat.com> AuthorDate: Tue Apr 11 10:35:36 2023 +0200 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Tue Apr 11 20:39:03 2023 +0200 Fix heap-buffer-overflow ...during CppunitTest_sc_ucalc, after 40e3e9fd1c501cc1978d4370b6392701ccd42a71 "tdf#113027 - Allow cycling cell reference types including whitespaces", > ==5140==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000cfba74 at pc 0x7f36cb07ef6e bp 0x7ffd061d34d0 sp 0x7ffd061d34c8 > READ of size 2 at 0x604000cfba74 thread T0 > #0 0x7f36cb07ef6d in (anonymous namespace)::FindEndPosR1C1(char16_t const*, int, int) /sc/source/core/tool/reffind.cxx:91:13 > #1 0x7f36cb07cf0f in (anonymous namespace)::FindEndPos(char16_t const*, int, int, formula::FormulaGrammar::AddressConvention) /sc/source/core/tool/reffind.cxx:126:20 > #2 0x7f36cb07b029 in ScRefFinder::ToggleRel(int, int) /sc/source/core/tool/reffind.cxx:262:28 > #3 0x7f36c7b8482b in testTdf113027::TestBody() /sc/qa/unit/ucalc.cxx:467:13 > > 0x604000cfba74 is located 0 bytes to the right of 36-byte region [0x604000cfba50,0x604000cfba74) > allocated by thread T0 here: > #0 0x4b7c20 in malloc /home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 > #1 0x7f371b927c59 in _rtl_uString* rtl::str::Alloc<_rtl_uString>(int) /sal/rtl/strtmpl.hxx:833:46 > #2 0x7f371b92640f in void rtl::str::newFromStr_WithLength<_rtl_uString, char>(_rtl_uString**, char const*, int, int) /sal/rtl/strtmpl.hxx:947:15 > #3 0x7f371b9797f0 in rtl_uString_newFromLiteral /sal/rtl/ustring.cxx:1252:5 > #4 0x7f36c7dab771 in rtl::OUString::OUString<char const [14]>(char const (&) [14], rtl::libreoffice_internal::ConstCharArrayDetector<char const [14], rtl::libreoffice_internal::Dummy>::Type) /include/rtl/ustring.hxx:365:13 > #5 0x7f36c7b843e8 in testTdf113027::TestBody() /sc/qa/unit/ucalc.cxx:462:31 (<https://ci.libreoffice.org/job/lo_ubsan/2739/>) Change-Id: Ie8d053cdb56bdf00bf21663b05521eca632ddfbc Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150219 Reviewed-by: Andreas Heinisch <andreas.heini...@yahoo.de> Tested-by: Jenkins (cherry picked from commit dc80c92a1e63fd88560fd77261b96f6c5be97273) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150199 Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/sc/source/core/tool/reffind.cxx b/sc/source/core/tool/reffind.cxx index c2851c7ff247..63c53a4f5e57 100644 --- a/sc/source/core/tool/reffind.cxx +++ b/sc/source/core/tool/reffind.cxx @@ -91,7 +91,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32 nStartPos, sal_Int32 nE if (*p == '\'') { // Skip until the closing quote. - for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd) + for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd) if (*p == '\'') break; if (nNewEnd > nEndPos) @@ -100,7 +100,7 @@ sal_Int32 FindEndPosR1C1(const sal_Unicode* p, sal_Int32 nStartPos, sal_Int32 nE else if (*p == '[') { // Skip until the closing bracket. - for (++p; nNewEnd <= nEndPos; ++p, ++nNewEnd) + for (++p, ++nNewEnd; nNewEnd <= nEndPos; ++p, ++nNewEnd) if (*p == ']') break; if (nNewEnd > nEndPos)