svtools/source/svhtml/parhtml.cxx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
New commits: commit f33ca5e3ba342e8251ab8177105a9b4b231b73e0 Author: Caolán McNamara <[email protected]> AuthorDate: Tue Jul 24 17:36:13 2018 +0100 Commit: Caolán McNamara <[email protected]> CommitDate: Tue Jul 24 21:09:44 2018 +0100 ofz#7621 tight OUString concat loop causes libfuzzer oom it doesn't get a chance to release memory and falls over with an oom Change-Id: I20eb91223de3aa00f3e2f4131ad212f1cfde6ff3 diff --git a/svtools/source/svhtml/parhtml.cxx b/svtools/source/svhtml/parhtml.cxx index be3167d30053..d887f4084ab8 100644 --- a/svtools/source/svhtml/parhtml.cxx +++ b/svtools/source/svhtml/parhtml.cxx @@ -1218,12 +1218,15 @@ HtmlTokenId HTMLParser::GetNextToken_() bool bDone = false; // Read until closing %>. If not found restart at first >. + sal_Unicode nLastTokenChar = !aToken.isEmpty() ? aToken[aToken.getLength() - 1] : 0; + OUStringBuffer aTmpBuffer(aToken); while( !bDone && !rInput.eof() && IsParserWorking() ) { - bDone = '>'==nNextCh && aToken.endsWith("%"); + bDone = '>'==nNextCh && nLastTokenChar == '%'; if( !bDone ) { - aToken += OUString(&nNextCh,1); + aTmpBuffer.appendUtf32(nNextCh); + nLastTokenChar = aTmpBuffer[aTmpBuffer.getLength() - 1]; nNextCh = GetNextChar(); } } @@ -1237,6 +1240,7 @@ HtmlTokenId HTMLParser::GetNextToken_() nRet = HtmlTokenId::TEXTTOKEN; break; } + aToken = aTmpBuffer.makeStringAndClear(); if( IsParserWorking() ) { sSaveToken = aToken; _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
