[Libreoffice-commits] core.git: sw/source

Caolán McNamara caolanm at redhat.com
Thu Jul 2 06:13:01 PDT 2015 

 sw/source/core/layout/fly.cxx     |    7 +++++++
 sw/source/core/layout/pagechg.cxx |   12 +++++++++++-
 sw/source/core/layout/ssfrm.cxx   |    1 +
 3 files changed, 19 insertions(+), 1 deletion(-)

New commits:
commit cd173f7718422b254ed4ec6548c7c913409d0c36
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Jul 2 14:10:17 2015 +0100

    crashtest: don't crash on layout of ooo70429-[1|2]
    
    Invalid read of size 8
       at 0x2DF1B82A: SwFlowFrm::HasFollow() const (flowfrm.hxx:163)
       by 0x2E3F80BF: CalcContent(SwLayoutFrm*, bool, bool) (fly.cxx:1652)
       by 0x2E49A960: SwSectionFrm::_CheckClipping(bool, bool) (sectfrm.cxx:1037)
    
     Address 0x20c1f978 is 248 bytes inside a block of size 288 free'd
       by 0x2E497284: SwSectionFrm::~SwSectionFrm() (sectfrm.cxx:153)
       by 0x2E4B0D1C: SwFrm::DestroyFrm(SwFrm*) (ssfrm.cxx:390)
       by 0x2E4B1485: SwLayoutFrm::DestroyImpl() (ssfrm.cxx:499)
       by 0x2E4B0CD3: SwFrm::DestroyFrm(SwFrm*) (ssfrm.cxx:388)
       by 0x2E4B1485: SwLayoutFrm::DestroyImpl() (ssfrm.cxx:499)
       by 0x2E454CC6: SwPageFrm::DestroyImpl() (pagechg.cxx:270)
       by 0x2E4B0CD3: SwFrm::DestroyFrm(SwFrm*) (ssfrm.cxx:388)
       by 0x2E458237: SwFrm::InsertPage(SwPageFrm*, bool) (pagechg.cxx:1226)
       by 0x2E49CD8B: SwFrm::GetNextSctLeaf(MakePageType) (sectfrm.cxx:1564)
       by 0x2E3EB912: SwFrm::GetLeaf(MakePageType, bool) (flowfrm.cxx:785)
       by 0x2E3EE83E: SwFlowFrm::MoveFwd(bool, bool, bool) (flowfrm.cxx:1840)
       by 0x2E3D7CF0: SwContentFrm::MakeAll(OutputDevice*) (calcmove.cxx:1171)
       by 0x2E3D2E8B: SwFrm::PrepareMake(OutputDevice*) (calcmove.cxx:277)
       by 0x2E4CE31C: SwFrm::Calc(OutputDevice*) const (trvlfrm.cxx:1798)
       by 0x2E56E174: SwTextFrm::CalcFollow(int) (frmform.cxx:282)
       by 0x2E56F718: SwTextFrm::_AdjustFollow(SwTextFormatter&, int, int, unsigned char) (frmform.cxx:590)
       by 0x2E5716D3: SwTextFrm::FormatAdjust(SwTextFormatter&, WidowsAndOrphans&, int, bool) (frmform.cxx:1110)
       by 0x2E570A6E: SwTextFrm::CalcPreps() (frmform.cxx:892)
       by 0x2E574163: SwTextFrm::Format(OutputDevice*, SwBorderAttrs const*) (frmform.cxx:1767)
       by 0x2E3D8E4F: SwContentFrm::MakeAll(OutputDevice*) (calcmove.cxx:1337)
       by 0x2E3D319F: SwFrm::PrepareMake(OutputDevice*) (calcmove.cxx:340)
       by 0x2E4CE31C: SwFrm::Calc(OutputDevice*) const (trvlfrm.cxx:1798)
       by 0x2E3F77B7: CalcContent(SwLayoutFrm*, bool, bool) (fly.cxx:1466)
       by 0x2E49A960: SwSectionFrm::_CheckClipping(bool, bool) (sectfrm.cxx:1037)
    
    Change-Id: I089981eda62bff63782338b5210b78f69b6d5f0b

diff --git a/sw/source/core/layout/fly.cxx b/sw/source/core/layout/fly.cxx
index a52f82f..ecd4251 100644
--- a/sw/source/core/layout/fly.cxx
+++ b/sw/source/core/layout/fly.cxx
@@ -1463,8 +1463,15 @@ void CalcContent( SwLayoutFrm *pLay,
             if ( bNoCalcFollow && pFrm->IsTextFrm() )
                 static_cast<SwTextFrm*>(pFrm)->ForbidFollowFormat();
 
+            const bool bDeleteForbidden(pSect && pSect->IsDeleteForbidden());
+            if (pSect)
+                pSect->ForbidDelete();
+
             pFrm->Calc(pRenderContext);
 
+            if (!bDeleteForbidden)
+                pSect->AllowDelete();
+
             // OD 14.03.2003 #i11760# - reset control flag for follow format.
             if ( pFrm->IsTextFrm() )
             {
diff --git a/sw/source/core/layout/pagechg.cxx b/sw/source/core/layout/pagechg.cxx
index a91cef3..2976db7 100644
--- a/sw/source/core/layout/pagechg.cxx
+++ b/sw/source/core/layout/pagechg.cxx
@@ -1151,6 +1151,16 @@ void SwFrm::CheckPageDescs( SwPageFrm *pStart, bool bNotifyFields, SwPageFrm** p
 #endif
 }
 
+namespace
+{
+    bool isDeleteForbidden(const SwPageFrm *pDel)
+    {
+        const SwLayoutFrm* pBody = pDel->FindBodyCont();
+        const SwFrm* pBodyContent = pBody ? pBody->Lower() : NULL;
+        return pBodyContent && pBodyContent->IsDeleteForbidden();
+    }
+}
+
 SwPageFrm *SwFrm::InsertPage( SwPageFrm *pPrevPage, bool bFootnote )
 {
     SwRootFrm *pRoot = static_cast<SwRootFrm*>(pPrevPage->GetUpper());
@@ -1216,7 +1226,7 @@ SwPageFrm *SwFrm::InsertPage( SwPageFrm *pPrevPage, bool bFootnote )
     pPage->PreparePage( bFootnote );
     // If the sibling has no body text, destroy it as long as it is no footnote page.
     if ( pSibling && !pSibling->IsFootnotePage() &&
-         !pSibling->FindFirstBodyContent() )
+         !pSibling->FindFirstBodyContent() && !isDeleteForbidden(pSibling) )
     {
         SwPageFrm *pDel = pSibling;
         pSibling = static_cast<SwPageFrm*>(pSibling->GetNext());
diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx
index a29b09e..4d21ba2 100644
--- a/sw/source/core/layout/ssfrm.cxx
+++ b/sw/source/core/layout/ssfrm.cxx
@@ -374,6 +374,7 @@ void SwFrm::DestroyImpl()
 SwFrm::~SwFrm()
 {
     assert(m_isInDestroy); // check that only DestroySwFrm does "delete"
+    assert(!IsDeleteForbidden()); // check that its not deleted while deletes are forbidden
 #if OSL_DEBUG_LEVEL > 0
     // JP 15.10.2001: for detection of access to deleted frames
     mpDrawObjs = reinterpret_cast<SwSortedObjs*>(0x33333333);

More information about the Libreoffice-commits mailing list