Avoid UBSan signed-integer-overflow

Desktop / LibreOffice - Stephan Bergmann [redhat.com] - 1 August 2020 06:20 UTC

...during CppunitTest_sd_import_tests_smartart:

> oox/source/drawingml/diagram/diagramlayoutatoms.cxx:656:50: runtime error: signed integer overflow: 1924451 - -2147483647 cannot be represented in type 'int' > #0 in oox::drawingml::AlgAtom::layoutShape(std::shared_ptr const&, std::__debug::vector > const&, std::__debug::vector > const&) at oox/source/drawingml/diagram/diagramlayoutatoms.cxx:656:50 > #1 in oox::drawingml::ShapeLayoutingVisitor::visit(oox::drawingml::AlgAtom&) at oox/source/drawingml/diagram/layoutatomvisitors.cxx:202:19 > #2 in oox::drawingml::AlgAtom::accept(oox::drawingml::LayoutAtomVisitor&) at oox/source/drawingml/diagram/diagramlayoutatoms.cxx:386:14 > #3 in oox::drawingml::LayoutAtomVisitorBase::defaultVisit(oox::drawingml::LayoutAtom const&) at oox/source/drawingml/diagram/layoutatomvisitorbase.cxx:32:16 > #4 in oox::drawingml::ShapeLayoutingVisitor::visit(oox::drawingml::LayoutNode&) at oox/source/drawingml/diagram/layoutatomvisitors.cxx:243:5 > #5 in oox::drawingml::LayoutNode::accept(oox::drawingml::LayoutAtomVisitor&) at oox/source/drawingml/diagram/diagramlayoutatoms.cxx:1452:14 > #6 in oox::drawingml::LayoutAtomVisitorBase::defaultVisit(oox::drawingml::LayoutAtom const&) at oox/source/drawingml/diagram/layoutatomvisitorbase.cxx:32:16 > #7 in oox::drawingml::ShapeLayoutingVisitor::visit(oox::drawingml::LayoutNode&) at oox/source/drawingml/diagram/layoutatomvisitors.cxx:245:5 > #8 in oox::drawingml::LayoutNode::accept(oox::drawingml::LayoutAtomVisitor&) at oox/source/drawingml/diagram/diagramlayoutatoms.cxx:1452:14 > #9 in oox::drawingml::LayoutAtomVisitorBase::visit(oox::drawingml::ForEachAtom&) at oox/source/drawingml/diagram/layoutatomvisitorbase.cxx:98:20 > #10 in oox::drawingml::ForEachAtom::accept(oox::drawingml::LayoutAtomVisitor&) at oox/source/drawingml/diagram/diagramlayoutatoms.cxx:167:14 > #11 in oox::drawingml::LayoutAtomVisitorBase::defaultVisit(oox::drawingml::LayoutAtom const&) at oox/source/drawingml/diagram/layoutatomvisitorbase.cxx:32:16 > #12 in oox::drawingml::ShapeLayoutingVisitor::visit(oox::drawingml::LayoutNode&) at oox/source/drawingml/diagram/layoutatomvisitors.cxx:245:5 > #13 in oox::drawingml::LayoutNode::accept(oox::drawingml::LayoutAtomVisitor&) at oox/source/drawingml/diagram/diagramlayoutatoms.cxx:1452:14 > #14 in oox::drawingml::Diagram::addTo(std::shared_ptr const&) at oox/source/drawingml/diagram/diagram.cxx:122:30 > #15 in oox::drawingml::loadDiagram(std::shared_ptr const&, oox::core::XmlFilterBase&, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, oox::core::Relations const&) at oox/source/drawingml/diagram/diagram.cxx:356:15 > #16 in oox::drawingml::DiagramGraphicDataContext::onCreateContext(int, oox::AttributeList const&) at oox/source/drawingml/graphicshapecontext.cxx:252:9 > #17 in non-virtual thunk to oox::drawingml::DiagramGraphicDataContext::onCreateContext(int, oox::AttributeList const&) at oox/source/drawingml/graphicshapecontext.cxx > #18 in oox::core::ContextHandler2Helper::implCreateChildContext(int, com::sun::star::uno::Reference const&) at oox/source/core/contexthandler2.cxx:94:34 > #19 in oox::core::ContextHandler2::createFastChildContext(int, com::sun::star::uno::Reference const&) at oox/source/core/contexthandler2.cxx:191:12 > #20 in non-virtual thunk to oox::core::ContextHandler2::createFastChildContext(int, com::sun::star::uno::Reference const&) at oox/source/core/contexthandler2.cxx > #21 in (anonymous namespace)::Entity::startElement((anonymous namespace)::Event const*) at sax/source/fastparser/fastparser.cxx:432:44 > #22 in sax_fastparser::FastSaxParserImpl::callbackStartElement(unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, unsigned char const**) at sax/source/fastparser/fastparser.cxx:1246:21 > #23 in (anonymous namespace)::call_callbackStartElement(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) at sax/source/fastparser/fastparser.cxx:305:18 > #24 in xmlParseStartTag2 at workdir/UnpackedTarball/libxml2/parser.c:9588:6 > #25 in xmlParseTryOrFinish at workdir/UnpackedTarball/libxml2/parser.c:11378:14 > #26 in xmlParseChunk__internal_alias at workdir/UnpackedTarball/libxml2/parser.c:12280:13 > #27 in sax_fastparser::FastSaxParserImpl::parse() at sax/source/fastparser/fastparser.cxx:1046:21 > #28 in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) at sax/source/fastparser/fastparser.cxx:866:9 > #29 in sax_fastparser::FastSaxParser::parseStream(com::sun::star::xml::sax::InputSource const&) at sax/source/fastparser/fastparser.cxx:1369:13 > #30 in oox::core::FastParser::parseStream(com::sun::star::xml::sax::InputSource const&, bool) at oox/source/core/fastparser.cxx:121:15 > #31 in oox::core::FastParser::parseStream(com::sun::star::uno::Reference const&, rtl::OUString const&) at oox/source/core/fastparser.cxx:129:5 > #32 in oox::core::XmlFilterBase::importFragment(rtl::Reference const&, oox::core::FastParser&) at oox/source/core/xmlfilterbase.cxx:402:21 > #33 in oox::core::XmlFilterBase::importFragment(rtl::Reference const&) at oox/source/core/xmlfilterbase.cxx:331:12 > #34 in oox::ppt::PresentationFragmentHandler::importSlide(rtl::Reference const&, std::shared_ptr const&) at oox/source/ppt/presentationfragmenthandler.cxx:610:17 > #35 in oox::ppt::PresentationFragmentHandler::importSlide(unsigned int, bool, bool) at oox/source/ppt/presentationfragmenthandler.cxx:348:13 > #36 in oox::ppt::PresentationFragmentHandler::finalizeImport() at oox/source/ppt/presentationfragmenthandler.cxx:499:17 > #37 in oox::core::FragmentHandler2::endDocument() at oox/source/core/fragmenthandler2.cxx:54:5 > #38 in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) at sax/source/fastparser/fastparser.cxx:872:36 > #39 in sax_fastparser::FastSaxParser::parseStream(com::sun::star::xml::sax::InputSource const&) at sax/source/fastparser/fastparser.cxx:1369:13 > #40 in oox::core::FastParser::parseStream(com::sun::star::xml::sax::InputSource const&, bool) at oox/source/core/fastparser.cxx:121:15 > #41 in oox::core::FastParser::parseStream(com::sun::star::uno::Reference const&, rtl::OUString const&) at oox/source/core/fastparser.cxx:129:5 > #42 in oox::core::XmlFilterBase::importFragment(rtl::Reference const&, oox::core::FastParser&) at oox/source/core/xmlfilterbase.cxx:402:21 > #43 in oox::core::XmlFilterBase::importFragment(rtl::Reference const&) at oox/source/core/xmlfilterbase.cxx:331:12 > #44 in oox::ppt::PowerPointImport::importDocument() at oox/source/ppt/pptimport.cxx:145:17 > #45 in oox::core::FilterBase::filter(com::sun::star::uno::Sequence const&) at oox/source/core/filterbase.cxx:485:49 > #46 in oox::ppt::PowerPointImport::filter(com::sun::star::uno::Sequence const&) at oox/source/ppt/pptimport.cxx:223:24 > #47 in SfxObjectShell::ImportFrom(SfxMedium&, com::sun::star::uno::Reference const&) at sfx2/source/doc/objstor.cxx:2251:34 > #48 in sd::DrawDocShell::ImportFrom(SfxMedium&, com::sun::star::uno::Reference const&) at sd/source/ui/docshell/docshel4.cxx:399:39 > #49 in SfxObjectShell::DoLoad(SfxMedium*) at sfx2/source/doc/objstor.cxx:738:23 > #50 in SdModelTestBase::loadURL(rtl::OUString const&, int, std::shared_ptr) at sd/qa/unit/sdmodeltestbase.hxx:181:30 > #51 in SdImportTestSmartArt::testText() at sd/qa/unit/import-tests-smartart.cxx:250:37

As discussed on IRC:

> Jul 31 18:52:58 sberg: yes, that looks reasonable, clearly the > expectation is that there is at least one element, in which case that > nVertMin grows from 0 and nVertMax shrinks from > std::numeric_limits::max() > Jul 31 18:54:43 sberg: sounds like i made that mistake in > acdde3c643fde015214c546b1567727272ea799e, but recently i added a test that > now uncovered the problem :)

Change-Id: I0ee11dbab568af788f9e2786c3dca2c1a5e1ee08 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/99902

ae4a69d7559a Avoid UBSan signed-integer-overflow
oox/source/drawingml/diagram/diagramlayoutatoms.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Upstream: cgit.freedesktop.org


  • Share