Bug 152380 - XMultiPropertySet::setPropertyValues implementations may try to read beyond the passed arguments
Summary: XMultiPropertySet::setPropertyValues implementations may try to read beyond t...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: sdk (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Mike Kaganski
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-05 12:31 UTC by Mike Kaganski
Modified: 2022-12-25 17:01 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Kaganski 2022-12-05 12:31:56 UTC 
Consider this macro:

Sub Main
  oTextElementEnum = thisComponent.getText().createEnumeration()
  while oTextElementEnum.hasMoreElements()
    oTextElement = oTextElementEnum.nextElement
    if oTextElement.supportsService("com.sun.star.text.Paragraph") then
      oTextElement.setPropertyValues(array("ParaAdjust"), array())
    end if
  wend
End Sub

setPropertyValues [1] is called with two arrays of different length, values length being less than names. This crashes the process.

In some implementations of setPropertyValues, we use the minimum of lengths of names and values; in others, we throw an IllegalArgumentException. But obviously, sometimes we don't check the length at all, and try to read values, assuming that they have at least as many elements as names. Since this is user-supplied data, we can't assume that, and crashing is incorrect in this case.

[1] https://api.libreoffice.org/docs/idl/ref/interfacecom_1_1sun_1_1star_1_1beans_1_1XMultiPropertySet.html#a4e11262db21d56416357984c83cf9b4c
Comment 1 Mike Kaganski 2022-12-06 06:43:28 UTC 
Fixed by commit b15eb164a8e44c02c196cef9f3de5e5478eb78de.