[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - sc/source

[Michael Stahl]

 sc/source/ui/unoobj/cellsuno.cxx |    6 ++++++
 1 file changed, 6 insertions(+)

New commits:
commit bc00a5e9b2bba09fd3c7659be4de707b01a56a74
Author: Michael Stahl <mstahl at redhat.com>
Date:   Fri Jan 9 22:48:06 2015 +0100

    sc: fix use-after-free race in ScCellRangesBase
    
    Probably 03cca068ed901d1862c440a6f414d17609785974 was not sufficient,
    because the ~ScCellRangesBase may access a deleted ScDocument after the
    early return.
    
    READ of size 8 at 0x61b000191cb0 thread T7 (cppu_threadpool)
        #0 0x2b3c8fd7c8b3 in ScDocument::RemoveUnoObject(SfxListener&) sc/source/core/data/documen3.cxx:863:9
        #1 0x2b3c94517824 in ScCellRangesBase::~ScCellRangesBase() sc/source/ui/unoobj/cellsuno.cxx:1467:9
        #2 0x2b3c9459cf98 in ScCellRangeObj::~ScCellRangeObj() sc/source/ui/unoobj/cellsuno.cxx:4786:1
        #3 0x2b3c945eca28 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1
        #4 0x2b3c945ecef1 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6087:1
        #5 0x2b3c945ed093 in non-virtual thunk to ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1
        #6 0x2b3c56cb35ec in cppu::OWeakObject::release() cppuhelper/source/weak.cxx:205:9
        #7 0x2b3c94523d63 in ScCellRangesBase::release() sc/source/ui/unoobj/cellsuno.cxx:1772:5
        #8 0x2b3c945a77ec in ScCellRangeObj::release() sc/source/ui/unoobj/cellsuno.cxx:4835:5
        #9 0x2b3c945f842c in ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6128:5
        #10 0x2b3c945fb953 in non-virtual thunk to ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6129:1
        #11 0x2b3c7f305faa in bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*) bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:42:5
    
    freed by thread T14 (cppu_threadpool) here:
        #0 0x43436b in operator delete(void*) (/data/lo/build_clang/instdir/program/soffice.bin+0x43436b)
        #1 0x2b3c9382462e in ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2722:1
        #2 0x2b3c93824d46 in virtual thunk to ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2755:1
        #3 0x2b3c58e2058a in SvRefBase::ReleaseRef() include/tools/ref.hxx:194:29
        #4 0x2b3c58e12726 in tools::SvRef<SfxObjectShell>::~SvRef() include/tools/ref.hxx:52:24
        #5 0x2b3c5a8a8f99 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:247:5
        #6 0x2b3c5a8a9141 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:246:5
        #7 0x2b3c5a7b1905 in SfxBaseModel::dispose() sfx2/source/doc/sfxbasemodel.cxx:795:5
        #8 0x2b3c5a7c8146 in SfxBaseModel::close(unsigned char) sfx2/source/doc/sfxbasemodel.cxx:1418:5
    
    Change-Id: Ia041dc6596d1b0b6b979a20fa93e1490c657e15b
    (cherry picked from commit c6dc3b9f9adb292ae42ba246082bc9dcb1445c6c)
    Reviewed-on: https://gerrit.libreoffice.org/13871
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sc/source/ui/unoobj/cellsuno.cxx b/sc/source/ui/unoobj/cellsuno.cxx
index a2b58a8..39b264f 100644
--- a/sc/source/ui/unoobj/cellsuno.cxx
+++ b/sc/source/ui/unoobj/cellsuno.cxx
@@ -1550,6 +1550,12 @@ void ScCellRangesBase::Notify( SfxBroadcaster&, const SfxHint& rHint )
     uno::Reference<uno::XInterface> const xThis(m_wThis);
     if (!xThis.is())
     {   // fdo#72695: if UNO object is already dead, don't revive it with event
+        if (dynamic_cast<const SfxSimpleHint*>(&rHint) &&
+            SFX_HINT_DYING == static_cast<const SfxSimpleHint&>(rHint).GetId())
+        {   // if the document dies, must reset to avoid crash in dtor!
+            ForgetCurrentAttrs();
+            pDocShell = nullptr;
+        }
         return;
     }
     if ( dynamic_cast<const ScUpdateRefHint*>(&rHint) )