[Libreoffice-commits] core.git: Branch 'libreoffice-5-1' - cppuhelper/source

[Michael Stahl]

 cppuhelper/source/weak.cxx |    6 ++++++
 1 file changed, 6 insertions(+)

New commits:
commit 72cd79fa1ff3e385eec5a2aed380aa9a776d1a07
Author: Michael Stahl <mstahl at redhat.com>
Date:   Fri Jun 17 21:58:09 2016 +0200

    cppuhelper: fix use-after-free race in OWeakConnectionPoint
    
    OWeakObject::m_pWeakConnectionPoint is returned from
    OWeakObject::queryAdapter(), and stored in
    OWeakRefListener::m_xWeakConnectionPoint.
    
    This is cleared in OWeakRefListener::dispose(), called from
    OWeakConnectionPoint::dispose(), called from
    OWeakObject::disposeWeakConnectionPoint(), but it can happen that
    another thread is in WeakReferenceHelper::get() and has copied
    m_xWeakConnectionPoint onto the stack before the OWeakObject is
    released and deleted, then calls OWeakConnectionPoint::queryAdapted()
    after it is released, accessing the dead m_pObject.
    
    (cherry picked from commit 131e604073f89e6c1dd54be88b94b7befd881f2e)
    
    Change-Id: I7782e6fb7e07f5a48cf7064115217376714ba8e8
    Reviewed-on: https://gerrit.libreoffice.org/26441
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/cppuhelper/source/weak.cxx b/cppuhelper/source/weak.cxx
index 72b8896..82e279e 100644
--- a/cppuhelper/source/weak.cxx
+++ b/cppuhelper/source/weak.cxx
@@ -105,6 +105,12 @@ void SAL_CALL OWeakConnectionPoint::release() throw()
 
 void SAL_CALL OWeakConnectionPoint::dispose() throw(css::uno::RuntimeException)
 {
+    {
+        MutexGuard aGuard(getWeakMutex());
+        // OWeakObject is not the only owner of this, so clear m_pObject
+        // so that queryAdapted() won't use it now that it's dead
+        m_pObject = nullptr;
+    }
     Any ex;
     OInterfaceIteratorHelper aIt( m_aReferences );
     while( aIt.hasMoreElements() )