128540 – NullPointerException in InputStreamToXInputStreamAdapter.readBytes() and readSomeBytes() when called from the inter-process UNO bridge

Issue 128540 - NullPointerException in InputStreamToXInputStreamAdapter.readBytes() and readSomeBytes() when called from the inter-process UNO bridge

Summary: NullPointerException in InputStreamToXInputStreamAdapter.readBytes() and read...

Status:	RESOLVED FIXED

Alias:	None

Product:	General
Classification:	Code
Component:	code (show other issues)
Version:	3.3.0 or older (OOo)
Hardware:	All All

Importance:	P5 (lowest) Normal (vote)
Target Milestone:	4.1.14
Assignee:	AOO issues mailing list
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-10-22 11:11 UTC by damjan
Modified:	2022-10-30 18:29 UTC (History)
CC List:	1 user (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	---
Developer Difficulty:	---

Attachments
Test loading XML document with client-side InputStreamToXInputStreamAdapter (7.23 KB, text/x-java) 2022-10-22 11:11 UTC, damjan	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description damjan 2022-10-22 11:11:14 UTC

Created attachment 87152 [details]
Test loading XML document with client-side InputStreamToXInputStreamAdapter

In main/javaunohelper/com/sun/star/lib/uno/adapter/InputStreamToXInputStreamAdapter.java there are bugs that result in java.lang.NullPointerException when a stream is passed across the inter-process UNO bridge, and the remote end tries to call the local readBytes() or readSomeBytes().

The UNO documentation for XInputStream::readBytes() documents how the buffer argument, of type sequence, is an "out" parameter, and isn't passed to the implementing end, which is why we get the buffer as a 2 dimensional array "byte[][] b" and b[0] == null. Its role is to box a 1 dimensional byte[] array to be returned the client. Thus, those methods need to allocate the buffer if it is missing or too small.

Additionally, virtually all other readBytes() and readSomeBytes() implementations trim this sequence to the actual number of bytes read. This presumably reduces the inter-process network traffic, but some callers even rely on the sequence to be trimmed, eg. main/sax/source/expatwrap/xml2utf.cxx. Thus our returned array should be trimmed too.

The attached code can be used to reproduce the issue. You'll need to link to these too:
juh.jar   jurt.jar  ridl.jar  unoil.jar
and it reads /var/tmp/1.xml. I've added a delay in the code to allow debugging, and it will print "BAD read..." instead of crashing.

Comment 1 damjan 2022-10-22 11:12:10 UTC

Fixed by commit 6cb06142790376a2c58e6392182eb071420a4221, resolving fixed.

Comment 2 Matthias Seidel 2022-10-23 15:58:15 UTC

Cherry-picked for AOO42X with:
https://github.com/apache/openoffice/commit/70f819d9f3a13005440863f9fe2f410ce812cc02

Comment 3 Matthias Seidel 2022-10-30 16:37:45 UTC

Cherry-picked for AOO42X with:
https://github.com/apache/openoffice/commit/9bca58a700a8f5c976bc561fa71154322aa6149f

Comment 4 Matthias Seidel 2022-10-30 18:29:57 UTC

(In reply to Matthias Seidel from comment #3)
> Cherry-picked for AOO42X with:
> https://github.com/apache/openoffice/commit/
> 9bca58a700a8f5c976bc561fa71154322aa6149f

Of course AOO41X!