oox/source/drawingml/textbody.cxx | 17 ++++++++++------- vcl/source/filter/idxf/dxfentrd.cxx | 2 +- 2 files changed, 11 insertions(+), 8 deletions(-)
New commits: commit 148f45253f75bc724804f3231a0b04b2d453e0c7 Author: Hossein <[email protected]> AuthorDate: Sat Apr 23 05:14:02 2022 +0200 Commit: Thorsten Behrens <[email protected]> CommitDate: Wed Apr 27 12:16:38 2022 +0200 tdf#148665 Fix crash while loading SmartArt graphics The regression introduced by c79fa460fe6220051bbda2d3c0cb67fbf765e2ac causes LibreOffice to crash while loading certain files that contain SmartArt graphics. By loading sample documents from tdf#148665 (docx) and also tdf#148735 (pptx) in a debug session, it became obvious that the problem happens in these statements from TextBody::toString() in textbody.cxx: if (!isEmpty()) return maParagraphs.front()->getRuns().front()->getText(); It is guaranteed that maParagraphs is not empty when trying to call getRuns(), but it is not checked that there are no runs in the first paragraph before trying to call getText(). The isEmpty() function returns false upon finding out that there is at least 1 paragraph. A check is added to TextBody::toString() to prevent a crash. This is the backtrace generated from loading documents from tdf#148735 in a Qt Creator debug session: 1 __GI_raise raise.c 50 0x7ffff79ec03b 2 __GI_abort abort.c 79 0x7ffff79cb859 3 ?? 0x7ffff7846109 4 std::vector<std::shared_ptr<oox::drawingml::TextRun>>::front vector 443 0x7fffd23d1fa6 5 oox::drawingml::TextBody::toString textbody.cxx 92 0x7fffd23d0f85 6 oox::drawingml::DiagramData::secureDataFromShapeToModelAfterDiagramImport datamodel.cxx 295 0x7fffd22d3047 7 oox::drawingml::AdvancedDiagramHelper::doAnchor diagramhelper.cxx 213 0x7fffd22fb92d 8 oox::drawingml::Shape::propagateDiagramHelper shape.cxx 229 0x7fffd2372a27 9 oox::ppt::PPTShape::addShape pptshape.cxx 574 0x7fffd25b2bd4 10 oox::ppt::SlidePersist::createXShapes slidepersist.cxx 150 0x7fffd25d81ea 11 oox::ppt::PresentationFragmentHandler::importSlide presentationfragmenthandler.cxx 404 0x7fffd25c1a78 12 oox::ppt::PresentationFragmentHandler::finalizeImport presentationfragmenthandler.cxx 550 0x7fffd25c3331 13 oox::core::FragmentHandler2::endDocument fragmenthandler2.cxx 53 0x7fffd22364ab 14 sax_fastparser::FastSaxParserImpl::parseStream fastparser.cxx 907 0x7fffe18b2d2b 15 sax_fastparser::FastSaxParser::parseStream fastparser.cxx 1480 0x7fffe18b71d2 16 oox::core::FastParser::parseStream fastparser.cxx 121 0x7fffd221d85b 17 oox::core::FastParser::parseStream fastparser.cxx 129 0x7fffd221d930 18 oox::core::XmlFilterBase::importFragment xmlfilterbase.cxx 413 0x7fffd2248ba5 19 oox::core::XmlFilterBase::importFragment xmlfilterbase.cxx 343 0x7fffd2248687 20 oox::ppt::PowerPointImport::importDocument pptimport.cxx 109 0x7fffd25a89e2 ... <More> Change-Id: I3a40be33061008b93455a5926259ef5b92e4ffe6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133341 Tested-by: Jenkins Tested-by: Julien Nabet <[email protected]> Reviewed-by: Thorsten Behrens <[email protected]> diff --git a/oox/source/drawingml/textbody.cxx b/oox/source/drawingml/textbody.cxx index 41a237e97cee..0f053ab6ad74 100644 --- a/oox/source/drawingml/textbody.cxx +++ b/oox/source/drawingml/textbody.cxx @@ -77,21 +77,24 @@ bool TextBody::isEmpty() const if ( maParagraphs.size() > 1 ) return false; - const TextRunVector aRuns = maParagraphs[0]->getRuns(); - if ( aRuns.empty() ) + const TextRunVector& rRuns = maParagraphs[0]->getRuns(); + if ( rRuns.empty() ) return true; - if ( aRuns.size() > 1 ) + if ( rRuns.size() > 1 ) return false; - return aRuns[0]->getText().isEmpty(); + return rRuns[0]->getText().isEmpty(); } OUString TextBody::toString() const { if (!isEmpty()) - return maParagraphs.front()->getRuns().front()->getText(); - else - return OUString(); + { + const TextRunVector& rRuns = maParagraphs.front()->getRuns(); + if(!rRuns.empty()) + return rRuns.front()->getText(); + } + return OUString(); } bool TextBody::hasVisualRunProperties() const commit 221da351f37c33296c2e3ce17334280bfb9226cc Author: Caolán McNamara <[email protected]> AuthorDate: Wed Apr 27 10:14:50 2022 +0100 Commit: Caolán McNamara <[email protected]> CommitDate: Wed Apr 27 12:16:23 2022 +0200 ofz#47051 Out-of-memory Change-Id: Ie5276cfda3abe2f4787d2fa85d916449390ddda2 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133497 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> diff --git a/vcl/source/filter/idxf/dxfentrd.cxx b/vcl/source/filter/idxf/dxfentrd.cxx index ba7cae6adb76..b4915c6573f8 100644 --- a/vcl/source/filter/idxf/dxfentrd.cxx +++ b/vcl/source/filter/idxf/dxfentrd.cxx @@ -671,7 +671,7 @@ void DXFHatchEntity::EvaluateGroup( DXFGroupReader & rDGR ) bIsInBoundaryPathContext = true; nMaxBoundaryPathCount = rDGR.GetI(); // limit alloc to max reasonable size based on remaining data in stream - if (nMaxBoundaryPathCount > 0 && o3tl::make_unsigned(nMaxBoundaryPathCount) > rDGR.remainingSize()) + if (nMaxBoundaryPathCount > 0 && o3tl::make_unsigned(nMaxBoundaryPathCount) <= rDGR.remainingSize()) aBoundaryPathData.reserve(nMaxBoundaryPathCount); else nMaxBoundaryPathCount = 0;
