From bb4ed96204638254bdb345cc4c79d252f59e4188 Mon Sep 17 00:00:00 2001 From: Miklos Vajna Date: Mon, 27 Jan 2025 14:14:08 +0100 Subject: [PATCH] wsd: fix assert fail in DocumentBroker::getJailRoot() This can happen if the websocket incoming traffic has a load command, followed by a removesession command, so asserting a non-empty jail ID seems to be going too far. Backtrace: #9 0x555e36ada9b8 in DocumentBroker::getJailRoot[abi:cxx11]() const wsd/DocumentBroker.cpp:3646:5 #10 0x555e36b49ae3 in DocumentBroker::uploadPresetsToWopiHost(Authorization const&) wsd/DocumentBroker.cpp:4094:41 #11 0x555e36b444c9 in DocumentBroker::removeSession(std::shared_ptr const&) wsd/DocumentBroker.cpp:3772:9 #12 0x555e369bb709 in ClientSession::_handleInput(char const*, int) ClientSession.cpp:1088:24 #13 0x555e3703957b in Session::handleMessage(std::vector> const&) common/Session.cpp Signed-off-by: Miklos Vajna Change-Id: Ib9cfd4856838dfa6ba304888770898964e922260 --- .../crash-b48363dfe945c5028da82fdd28acfd4c7ce0906b | Bin 0 -> 26 bytes wsd/DocumentBroker.cpp | 6 +++++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 fuzzer/data/crash-b48363dfe945c5028da82fdd28acfd4c7ce0906b diff --git a/fuzzer/data/crash-b48363dfe945c5028da82fdd28acfd4c7ce0906b b/fuzzer/data/crash-b48363dfe945c5028da82fdd28acfd4c7ce0906b new file mode 100644 index 0000000000000000000000000000000000000000..597afa75048b9622f820857384045a7f1cf935d2 GIT binary patch literal 26 hcmd1FPfSrLEy}UY=PF9g%`ZzWPAx9Z%+FI`004vC348zm literal 0 HcmV?d00001 diff --git a/wsd/DocumentBroker.cpp b/wsd/DocumentBroker.cpp index aa5d26115a0db..54384da8e5221 100644 --- a/wsd/DocumentBroker.cpp +++ b/wsd/DocumentBroker.cpp @@ -3627,7 +3627,11 @@ bool DocumentBroker::sendUnoSave(const std::shared_ptr& session, std::string DocumentBroker::getJailRoot() const { #if !MOBILEAPP - assert(!_jailId.empty()); + if (_jailId.empty()) + { + LOG_WRN("Trying to get the jail root of a not yet downloaded document."); + return std::string(); + } return Poco::Path(COOLWSD::ChildRoot, _jailId).toString(); #else return std::string();