From 0ef6d568922ea3ff852310e87f813074d3029e88 Mon Sep 17 00:00:00 2001

From: Eike Rathke <erack@redhat.com>

Date: Fri, 17 Feb 2023 12:03:54 +0100

Subject: [PATCH] Stack check safety belt before fishing in muddy waters

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Have it hit hard in debug builds.

Change-Id: I9ea54844a0661fd7a75616a2876983a74b2d5bad

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147205

Reviewed-by: Eike Rathke <erack@redhat.com>

Tested-by: Jenkins

(cherry picked from commit 9d91fbba6f374fa1c10b38eae003da89bd4e6d4b)

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147245

Reviewed-by: Caolán McNamara <caolanm@redhat.com>

(cherry picked from commit 166a07062dd4ffedca6106f439a6fcddaeee5eb5)

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147391

Tested-by: Michael Stahl <michael.stahl@allotropia.de>

Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

(cherry picked from commit f8efb098f2abbf054a15dcf7daaaacfa575685ae)

erAck: backported to 5.3.6.1

---

 sc/source/core/inc/interpre.hxx  | 12 ++++++++++++

 sc/source/core/tool/interpr1.cxx |  4 ++--

 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/sc/source/core/inc/interpre.hxx b/sc/source/core/inc/interpre.hxx

index 636f2ec..934b253 100644

--- a/sc/source/core/inc/interpre.hxx

+++ b/sc/source/core/inc/interpre.hxx

@@ -220,6 +220,7 @@ private:

 inline bool MustHaveParamCount( short nAct, short nMust );

 inline bool MustHaveParamCount( short nAct, short nMust, short nMax );

 inline bool MustHaveParamCountMin( short nAct, short nMin );

+inline bool MustHaveParamCountMinWithStackCheck( short nAct, short nMin );

 void PushParameterExpected();

 void PushIllegalParameter();

 void PushIllegalArgument();

@@ -1032,6 +1033,17 @@ inline bool ScInterpreter::MustHaveParamCountMin( short nAct, short nMin )

     return false;

 }

+inline bool ScInterpreter::MustHaveParamCountMinWithStackCheck( short nAct, short nMin )

+{

+    assert(sp >= nAct);

+    if (sp < nAct)

+    {

+        PushParameterExpected();

+        return false;

+    }

+    return MustHaveParamCountMin( nAct, nMin);

+}

+

 inline bool ScInterpreter::CheckStringPositionArgument( double & fVal )

 {

     if (!rtl::math::isFinite( fVal))

diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx

index 22ae915..002f6ca 100644

--- a/sc/source/core/tool/interpr1.cxx

+++ b/sc/source/core/tool/interpr1.cxx

@@ -6659,7 +6659,7 @@ void ScInterpreter::ScVLookup()

 void ScInterpreter::ScSubTotal()

 {

     sal_uInt8 nParamCount = GetByte();

-    if ( MustHaveParamCountMin( nParamCount, 2 ) )

+    if ( MustHaveParamCountMinWithStackCheck( nParamCount, 2 ) )

     {

         // We must fish the 1st parameter deep from the stack! And push it on top.

         const FormulaToken* p = pStack[ sp - nParamCount ];

@@ -6706,7 +6706,7 @@ void ScInterpreter::ScSubTotal()

 void ScInterpreter::ScAggregate()

 {

     sal_uInt8 nParamCount = GetByte();

-    if ( MustHaveParamCountMin( nParamCount, 3 ) )

+    if ( MustHaveParamCountMinWithStackCheck( nParamCount, 3 ) )

     {

         // fish the 1st parameter from the stack and push it on top.

         const FormulaToken* p = pStack[ sp - nParamCount ];

-- 

2.44.0