[Libreoffice-commits] core.git: Branch 'libreoffice-5-2' - cppuhelper/source
Michael Stahl
mstahl at redhat.com
Mon Jun 20 08:56:30 UTC 2016
cppuhelper/source/weak.cxx | 3 +++
1 file changed, 3 insertions(+)
New commits:
commit 1b992e4b470af3e2492b520df93d362fe14b4b69
Author: Michael Stahl <mstahl at redhat.com>
Date: Fri Jun 17 21:58:09 2016 +0200
cppuhelper: fix use-after-free race in OWeakConnectionPoint
OWeakObject::m_pWeakConnectionPoint is returned from
OWeakObject::queryAdapter(), and stored in
OWeakRefListener::m_xWeakConnectionPoint.
This is cleared in OWeakRefListener::dispose(), called from
OWeakConnectionPoint::dispose(), called from
OWeakObject::disposeWeakConnectionPoint(), but it can happen that
another thread is in WeakReferenceHelper::get() and has copied
m_xWeakConnectionPoint onto the stack before the OWeakObject is
released and deleted, then calls OWeakConnectionPoint::queryAdapted()
after it is released, accessing the dead m_pObject.
Change-Id: I7782e6fb7e07f5a48cf7064115217376714ba8e8
(cherry picked from commit 131e604073f89e6c1dd54be88b94b7befd881f2e)
Reviewed-on: https://gerrit.libreoffice.org/26442
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
diff --git a/cppuhelper/source/weak.cxx b/cppuhelper/source/weak.cxx
index ed1f772..85cf3f6 100644
--- a/cppuhelper/source/weak.cxx
+++ b/cppuhelper/source/weak.cxx
@@ -111,6 +111,9 @@ void SAL_CALL OWeakConnectionPoint::dispose() throw(css::uno::RuntimeException)
std::vector<Reference<XReference>> aCopy;
{ // only hold the mutex while we access the field
MutexGuard aGuard(getWeakMutex());
+ // OWeakObject is not the only owner of this, so clear m_pObject
+ // so that queryAdapted() won't use it now that it's dead
+ m_pObject = nullptr;
// other code is going to call removeReference while we are doing this, so we need a
// copy, but since we are disposing and going away, we can just take the original data
aCopy.swap(m_aReferences);
More information about the Libreoffice-commits
mailing list