Bug 108039 - BASIC: Trying to create string too long segfaults
Summary: BASIC: Trying to create string too long segfaults
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
(earliest affected)
Hardware: All All
: medium normal
Assignee: Mike Kaganski
Whiteboard: target:5.5.0
Depends on:
Reported: 2017-05-23 20:55 UTC by Mike Kaganski
Modified: 2017-06-07 10:01 UTC (History)
2 users (show)

See Also:
Crash report or crash signature: ["memcpy","rtl_uString_newConcat"]


Note You need to log in before you can comment on or make changes to this bug.
Description Mike Kaganski 2017-05-23 20:55:57 UTC
Execute following macro:
Sub strOverflow
  Dim s As String, i As Integer
  s = "0"
  For i=1 To 31
  s = s & s
  Next i
End Sub

This segfaults both on 32- and 64-bit LibreOffice when memory allocation is unsuccessful (maximum string size is 2147483638 = 2^31 - 10). LibreOffice crashes.
Comment 1 Mike Kaganski 2017-05-23 21:07:39 UTC
A patch submitted for review: https://gerrit.libreoffice.org/37965
Comment 2 Regina Henschel 2017-05-23 21:10:31 UTC
It crashes with Version:
Build ID: 965494c544dd8f35ae83b7cf38549009da06c367
CPU threads: 4; OS: Windows 6.1; UI render: default; 
TinderBox: Win-x86@62-TDF, Branch:MASTER, Time: 2017-05-10_23:06:27
Locale: de-DE (de_DE); Calc: group
Comment 3 Julien Nabet 2017-05-26 07:36:37 UTC
Let's put this one to ASSIGNED since you assigned yourself.
Comment 4 Commit Notification 2017-06-07 09:49:37 UTC
Mike Kaganski committed a patch related to this issue.
It has been pushed to "master":


tdf#108039: check for nullptr in rtl_uString and OUString

It will be available in 5.5.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:

Affected users are encouraged to test the fix and report feedback.