From 6a223b9acf8571e098cc6f74edcd3060d3fcfe27 Mon Sep 17 00:00:00 2001
From: Michael Stahl <mstahl@redhat.com>
Date: Sat, 29 Aug 2015 00:29:35 +0200
Subject: [PATCH] sot: don't leak uninitialized memory into temp file

Both valgrind and drmemory complain about this in
SdExportTest::testSwappedOutImageExport() via
SfxOleThumbnailProperty::ImplSave().

 Syscall param pwrite64(buf) points to uninitialised byte(s)

 UNINITIALIZED READ: reading 0x0455b1b4-0x0455b1c8 20 byte(s) within...

It appears that the stream writes out everything up to the seek position
anyway (otherwise the size check wouldn't work, with sparse files)
so make sure it's all zeroed.

Also fix SvMemoryStream::ReAllocateMemory() to zero it.

Change-Id: Id86dfa65ef6f7d1bba4810f121e01473c5fcf4c7
---
 sot/source/sdstor/stgstrms.cxx | 15 ++++++++++++---
 tools/source/stream/stream.cxx |  8 ++++++--
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/sot/source/sdstor/stgstrms.cxx b/sot/source/sdstor/stgstrms.cxx
index ecd987fffa2b..c913bebc9e0e 100644
--- a/sot/source/sdstor/stgstrms.cxx
+++ b/sot/source/sdstor/stgstrms.cxx
@@ -1188,9 +1188,9 @@ void StgTmpStrm::SetSize(sal_uInt64 n)
             SvFileStream* s = new SvFileStream( aName, STREAM_READWRITE );
             sal_uLong nCur = Tell();
             sal_uLong i = nEndOfData;
+            std::unique_ptr<sal_uInt8[]> p(new sal_uInt8[ 4096 ]);
             if( i )
             {
-                std::unique_ptr<sal_uInt8[]> p(new sal_uInt8[ 4096 ]);
                 Seek( 0L );
                 while( i )
                 {
@@ -1207,8 +1207,17 @@ void StgTmpStrm::SetSize(sal_uInt64 n)
                 // We have to write one byte at the end of the file
                 // if the file is bigger than the memstream to see
                 // if it fits on disk
-                s->Seek( n - 1 );
-                s->Write( &i, 1 );
+                s->Seek(nEndOfData);
+                memset(p.get(), 0x00, 4096);
+                i = n - nEndOfData;
+                while (i)
+                {
+                    sal_uLong const nb = (i > 4096) ? 4096 : i;
+                    if (s->Write(p.get(), nb) == nb)
+                        i -= nb;
+                    else
+                        break; // error
+                }
                 s->Flush();
                 if( s->GetError() != SVSTREAM_OK )
                     i = 1;
diff --git a/tools/source/stream/stream.cxx b/tools/source/stream/stream.cxx
index 88b320edc63e..da91a21a6b82 100644
--- a/tools/source/stream/stream.cxx
+++ b/tools/source/stream/stream.cxx
@@ -1899,9 +1899,13 @@ bool SvMemoryStream::ReAllocateMemory( long nDiff )
             if( nEndOfData >= nNewSize )
                 nEndOfData = nNewSize-1L;
         }
-        else if (nSize != 0)
+        else
         {
-            memcpy( pNewBuf, pBuf, (size_t)nSize );
+            if (nSize != 0)
+            {
+                memcpy( pNewBuf, pBuf, (size_t)nSize );
+            }
+            memset(pNewBuf + nSize, 0x00, nNewSize - nSize);
         }
 
         FreeMemory();