core.git: vcl/source

Sat, 21 Feb 2026 08:11:24 -0800 

 vcl/source/filter/ipdf/pdfdocument.cxx |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

New commits:
commit 15995c4d464505f6d4e6725901f7678795ec6f74
Author:     Stephan Bergmann <[email protected]>
AuthorDate: Sat Feb 21 15:59:56 2026 +0100
Commit:     Stephan Bergmann <[email protected]>
CommitDate: Sat Feb 21 17:10:55 2026 +0100

    Fix heap-use-after-free
    
    ...as seen during CppunitTest_sd_tiledrendering2,
    
    > ==1656617==ERROR: AddressSanitizer: heap-use-after-free on address 
0x531000155fe7 at pc 0x55e2bd9ad71d bp 0x7ffde61a2210 sp 0x7ffde61a19d0
    > READ of size 177 at 0x531000155fe7 thread T0
    >     #0 0x55e2bd9ad71c in __asan_memcpy 
/home/tdf/lode/packages/llvm-llvmorg-18.1.8.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
    >     #1 0x7f9c90d91bb2 in SvMemoryStream::PutData(void const*, unsigned 
long) /tools/source/stream/stream.cxx:1578:5
    >     #2 0x7f9c90d6e77f in SvStream::WriteBytes(void const*, unsigned long) 
/tools/source/stream/stream.cxx:1195:26
    >     #3 0x7f9c83b80030 in 
vcl::filter::PDFDocument::WriteCatalogObject(int, 
vcl::filter::PDFReferenceElement*&) 
/vcl/source/filter/ipdf/pdfdocument.cxx:577:27
    >
    > 0x531000155fe7 is located 6119 bytes inside of 65180-byte region 
[0x531000154800,0x53100016469c)
    > freed by thread T0 here:
    >     #0 0x55e2bd9faf30 in operator delete[](void*) 
/home/tdf/lode/packages/llvm-llvmorg-18.1.8.src/compiler-rt/lib/asan/asan_new_delete.cpp:146:3
    >     #1 0x7f9c90d8f873 in SvMemoryStream::FreeMemory() 
/tools/source/stream/stream.cxx:1694:9
    >     #2 0x7f9c90d92f0f in SvMemoryStream::ReAllocateMemory(long) 
/tools/source/stream/stream.cxx:1671:9
    >     #3 0x7f9c90d91703 in SvMemoryStream::PutData(void const*, unsigned 
long) /tools/source/stream/stream.cxx:1569:22
    >     #4 0x7f9c90d6e77f in SvStream::WriteBytes(void const*, unsigned long) 
/tools/source/stream/stream.cxx:1195:26
    >     #5 0x7f9c83b80030 in 
vcl::filter::PDFDocument::WriteCatalogObject(int, 
vcl::filter::PDFReferenceElement*&) 
/vcl/source/filter/ipdf/pdfdocument.cxx:577:27
    
    (<https://ci.libreoffice.org//job/lo_ubsan/3829/>)
    
    Change-Id: I38abb9870ffcce3aaf198543e130898817d8fe3e
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/199944
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <[email protected]>

diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx 
b/vcl/source/filter/ipdf/pdfdocument.cxx
index bce5265de69e..bbb9b84ea5bc 100644
--- a/vcl/source/filter/ipdf/pdfdocument.cxx
+++ b/vcl/source/filter/ipdf/pdfdocument.cxx
@@ -574,9 +574,10 @@ bool PDFDocument::WriteCatalogObject(sal_Int32 nAnnotId, 
PDFReferenceElement*& p
         if (!pAcroFormDictionary)
         {
             // No AcroForm key, assume no signatures.
-            m_aEditBuffer.WriteBytes(static_cast<const 
char*>(m_aEditBuffer.GetData())
-                                         + pCatalog->GetDictionaryOffset(),
-                                     pCatalog->GetDictionaryLength());
+            auto const p = static_cast<const char*>(m_aEditBuffer.GetData())
+                           + pCatalog->GetDictionaryOffset();
+            std::vector<char> copy(p, p + pCatalog->GetDictionaryLength());
+            m_aEditBuffer.WriteBytes(copy.data(), copy.size());
             m_aEditBuffer.WriteOString("/AcroForm<</Fields[
");
             m_aEditBuffer.WriteNumberAsString(nAnnotId);
             m_aEditBuffer.WriteOString(" 0 R
]/SigFlags 3>>
");

Reply via email to