| Summary: | XMultiPropertySet::setPropertyValues implementations may try to read beyond the passed arguments | ||
|---|---|---|---|
| Product: | LibreOffice | Reporter: | Mike Kaganski <mikekaganski> |
| Component: | sdk | Assignee: | Mike Kaganski <mikekaganski> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | aron.budea |
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Crash report or crash signature: | Regression By: | ||
Fixed by commit b15eb164a8e44c02c196cef9f3de5e5478eb78de. |
Consider this macro: Sub Main oTextElementEnum = thisComponent.getText().createEnumeration() while oTextElementEnum.hasMoreElements() oTextElement = oTextElementEnum.nextElement if oTextElement.supportsService("com.sun.star.text.Paragraph") then oTextElement.setPropertyValues(array("ParaAdjust"), array()) end if wend End Sub setPropertyValues [1] is called with two arrays of different length, values length being less than names. This crashes the process. In some implementations of setPropertyValues, we use the minimum of lengths of names and values; in others, we throw an IllegalArgumentException. But obviously, sometimes we don't check the length at all, and try to read values, assuming that they have at least as many elements as names. Since this is user-supplied data, we can't assume that, and crashing is incorrect in this case. [1] https://api.libreoffice.org/docs/idl/ref/interfacecom_1_1sun_1_1star_1_1beans_1_1XMultiPropertySet.html#a4e11262db21d56416357984c83cf9b4c