[Libreoffice-commits] core.git: sc/source
Caolán McNamara
caolanm at redhat.com
Tue Aug 9 20:05:40 UTC 2016
sc/source/core/data/postit.cxx | 2 +-
sc/source/core/tool/detfunc.cxx | 16 +++++++++++++---
2 files changed, 14 insertions(+), 4 deletions(-)
New commits:
commit d79a4f46926e81a6d0fe353feb3322673c1b509d
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Aug 9 21:00:59 2016 +0100
Resolves: tdf#101309 crash on deleted SdrObject
when we're not recording undo, then SdrUndoDelObj just deletes
the argument its passed. And this code assumes that it is transferred
to the SdrUndoDelObj and it still exists.
Use the same pattern as ScPostIt::RemoveCaption for this situation
Invalid read of size 8
at 0xB1713B6: SdrObject::GetOrdNum() const (svdobj.cxx:777)
by 0x3C9E029C: ScDetectiveFunc::DeleteArrowsAt(short, int, bool) (detfunc.cxx:695)
by 0x3C9E1D4C: ScDetectiveFunc::FindSuccLevel(short, int, short, int, unsigned short, unsigned short) (detfunc.cxx:1118)
by 0x3C9E2405: ScDetectiveFunc::DeleteSucc(short, int) (detfunc.cxx:1207)
by 0x3CF812BA: ScDocFunc::DetectiveRefresh(bool) (docfunc.cxx:480)
by 0x3CFC9FAF: ScDocShell::DoHardRecalc(bool) (docsh4.cxx:1250)
Address 0x50992d50 is 112 bytes inside a block of size 464 free'd
at 0x4C2D22A: operator delete(void*) (vg_replace_malloc.c:576)
by 0xB1D04BC: SdrPathObj::~SdrPathObj() (svdopath.cxx:1681)
by 0xB1701F5: SdrObject::Free(SdrObject*&) (svdobj.cxx:394)
by 0xB258666: SdrUndoObjList::~SdrUndoObjList() (svdundo.cxx:720)
by 0xB258A39: SdrUndoRemoveObj::~SdrUndoRemoveObj() (svdundo.cxx:774)
by 0xB25E29B: SdrUndoDelObj::~SdrUndoDelObj() (svdundo.hxx:298)
by 0xB25E2B7: SdrUndoDelObj::~SdrUndoDelObj() (svdundo.hxx:298)
by 0x3C7E5D0E: ScDrawLayer::AddCalcUndo(SdrUndoAction*) (drwlayer.cxx:1120)
by 0x3C9E0238: ScDetectiveFunc::DeleteArrowsAt(short, int, bool) (detfunc.cxx:692)
Change-Id: Idc6d1f8e9ad8b203dac55630f8c100e74d3e017b
diff --git a/sc/source/core/data/postit.cxx b/sc/source/core/data/postit.cxx
index 64f47a5..d872877 100644
--- a/sc/source/core/data/postit.cxx
+++ b/sc/source/core/data/postit.cxx
@@ -745,7 +745,7 @@ void ScPostIt::RemoveCaption()
{
pDrawPage->RecalcObjOrdNums();
// create drawing undo action (before removing the object to have valid draw page in undo action)
- bool bRecording = ( pDrawLayer && pDrawLayer->IsRecording() );
+ const bool bRecording = (pDrawLayer && pDrawLayer->IsRecording());
if( bRecording )
pDrawLayer->AddCalcUndo( new SdrUndoDelObj( *maNoteData.mpCaption ) );
// remove the object from the drawing page, delete if undo is disabled
diff --git a/sc/source/core/tool/detfunc.cxx b/sc/source/core/tool/detfunc.cxx
index 7e58c7b..740174e 100644
--- a/sc/source/core/tool/detfunc.cxx
+++ b/sc/source/core/tool/detfunc.cxx
@@ -688,11 +688,21 @@ void ScDetectiveFunc::DeleteArrowsAt( SCCOL nCol, SCROW nRow, bool bDestPnt )
pObject = aIter.Next();
}
- for (size_t i=1; i<=nDelCount; ++i)
- pModel->AddCalcUndo( new SdrUndoDelObj( *ppObj[nDelCount-i] ) );
+ const bool bRecording = pModel->IsRecording();
+
+ if (bRecording)
+ {
+ for (size_t i=1; i<=nDelCount; ++i)
+ pModel->AddCalcUndo(new SdrUndoDelObj(*ppObj[nDelCount-i]));
+ }
for (size_t i=1; i<=nDelCount; ++i)
- pPage->RemoveObject( ppObj[nDelCount-i]->GetOrdNum() );
+ {
+ // remove the object from the drawing page, delete if undo is disabled
+ SdrObject* pObj = pPage->RemoveObject(ppObj[nDelCount-i]->GetOrdNum());
+ if( !bRecording )
+ SdrObject::Free( pObj );
+ }
ppObj.reset();
More information about the Libreoffice-commits
mailing list