[Libreoffice-commits] core.git: sw/inc sw/source

Jochen Nitschke j.nitschke+logerrit at ok.de
Wed May 24 19:47:24 UTC 2017 

 sw/inc/fchrfmt.hxx                         |    6 +++++-
 sw/source/core/doc/docnew.cxx              |   12 ------------
 sw/source/core/para/paratr.cxx             |    1 +
 sw/source/core/unocore/SwXTextDefaults.cxx |    3 +++
 sw/source/core/unocore/unoobj.cxx          |    4 +---
 sw/source/core/unocore/unostyle.cxx        |    5 ++++-
 6 files changed, 14 insertions(+), 17 deletions(-)

New commits:
commit 6d51bb3d54ac52e4870bd00a21fce3a3b1c5010b
Author: Jochen Nitschke <j.nitschke+logerrit at ok.de>
Date:   Wed May 10 22:56:35 2017 +0200

    tdf#106424 fix crash in SfxItemPool::Put
    
    This fix reverts commit 304d3856c138fb54ff536f41be3eff26ab4d6315
    Date:   Wed Oct 16 07:55:09 2002 +0000
        #103124# possible unremoved SwFmt object fixed
    
    and commit fab98924e01f211c1d1fc5823c0867019b590c60
    Date:   Wed Oct 16 10:18:26 2002 +0000
        #103152# possible unremoved SwFmt object fixed
    
    as they are causing crashes:
    http://crashreport.libreoffice.org/stats/signature
    /SfxItemPool::Put(SfxPoolItem%20const%20&,unsigned%20short)
    
    The comments suggest there was/is a use-after-free when
    SwFormatCharFormat is changed with API. This happens in unoobj.cxx
    and unostyle.cxx by SwFormatDrop::SetCharFormat().
    
    With following changes:
    commit bf2ae97a223df987d6b9bc649afe311b5421f61e
        INTEGRATION: CWS os7 (1.64.4.3.34); FILE MERGED
        2003/03/25 14:23:43 os 1.64.4.3.34.1: #104245# table mode added
        to the SwXTextCursor::SetPropertyValue attribute list; 'Standard'
        character format not allowed as drop cap char style
    and commit 9625366d0b2fd36a57c6283a4a80c47b80d57707
        INTEGRATION: CWS os8 (1.64.4.3.48); FILE MERGED
        2003/04/09 09:11:53 os 1.64.4.3.48.3: #104245# Default not
        allowed as DropCapCharStyleName, too
    
    in unoobj.cxx, setting the documents' default SwFormatCharFormat is
    rejected by throwing an exception. Likely to fix the same issue as
    the first 2 commits.
    So we do the same in unostyle.cxx now too.
    
    Add an assert in SwFormatCharFormat::SetCharFormat and
    SwFormatDrop::SetCharFormat, to uncover other changes to the default
    SwFormatCharFormat or SwFormatDrop.
    Such an case could happen in SwXTextDefaults::setPropertyValue
    where we bail out now.
    
    Change-Id: Iac59dffbd6285dd28d1000a8eacda8ffd3bdc962
    Reviewed-on: https://gerrit.libreoffice.org/37499
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>

diff --git a/sw/inc/fchrfmt.hxx b/sw/inc/fchrfmt.hxx
index 2d6c77f20d7d..90314b18d437 100644
--- a/sw/inc/fchrfmt.hxx
+++ b/sw/inc/fchrfmt.hxx
@@ -62,7 +62,11 @@ public:
 
     virtual bool    GetInfo( SfxPoolItem& rInfo ) const override;
 
-    void SetCharFormat( SwFormat* pFormat ) { pFormat->Add(this); }
+    void SetCharFormat( SwFormat* pFormat )
+    {
+        assert(!pFormat->IsDefault()); // expose cases that lead to use-after-free
+        pFormat->Add(this);
+    }
     SwCharFormat* GetCharFormat() const { return const_cast<SwCharFormat*>(static_cast<const SwCharFormat*>(GetRegisteredIn())); }
 };
 #endif
diff --git a/sw/source/core/doc/docnew.cxx b/sw/source/core/doc/docnew.cxx
index cb2a35160691..3d7b813fe964 100644
--- a/sw/source/core/doc/docnew.cxx
+++ b/sw/source/core/doc/docnew.cxx
@@ -41,8 +41,6 @@
 #include <svl/zforlist.hxx>
 #include <unotools/lingucfg.hxx>
 #include <svx/svdpage.hxx>
-#include <paratr.hxx>
-#include <fchrfmt.hxx>
 #include <fmtcntnt.hxx>
 #include <fmtanchr.hxx>
 #include <fmtfsize.hxx>
@@ -384,16 +382,6 @@ SwDoc::~SwDoc()
     delete mpGrammarContact;
     mpGrammarContact = nullptr;
 
-    //!! needs to be done to destroy a possible SwFormatDrop format that may
-    //!! be connected to a char format which may not otherwise be removed
-    //!! and thus would leave a unremoved SwFormat object. (TL)
-    //!! (this is case is not possible via UI but via API...)
-    SwFormatDrop aDrop;
-    SetDefault(aDrop);
-    //!! same for SwFormatCharFormat
-    SwFormatCharFormat aCharFormat(nullptr);
-    SetDefault(aCharFormat);
-
     getIDocumentTimerAccess().StopIdling();   // stop idle timer
 
     delete mpURLStateChgd;
diff --git a/sw/source/core/para/paratr.cxx b/sw/source/core/para/paratr.cxx
index a47786c373a2..aa76115b6528 100644
--- a/sw/source/core/para/paratr.cxx
+++ b/sw/source/core/para/paratr.cxx
@@ -64,6 +64,7 @@ SwFormatDrop::~SwFormatDrop()
 
 void SwFormatDrop::SetCharFormat( SwCharFormat *pNew )
 {
+    assert(!pNew->IsDefault()); // expose cases that lead to use-after-free
     // Rewire
     if ( GetRegisteredIn() )
         GetRegisteredInNonConst()->Remove( this );
diff --git a/sw/source/core/unocore/SwXTextDefaults.cxx b/sw/source/core/unocore/SwXTextDefaults.cxx
index fd3c90d5d1d6..17b62c0afd98 100644
--- a/sw/source/core/unocore/SwXTextDefaults.cxx
+++ b/sw/source/core/unocore/SwXTextDefaults.cxx
@@ -92,6 +92,9 @@ void SAL_CALL SwXTextDefaults::setPropertyValue( const OUString& rPropertyName,
             if(pStyle)
             {
                 rtl::Reference< SwDocStyleSheet > xStyle( new SwDocStyleSheet( *pStyle ) );
+                if (xStyle->GetCharFormat() == m_pDoc->GetDfltCharFormat())
+                    return; // don't SetCharFormat with formats from mpDfltCharFormat
+
                 if (RES_PARATR_DROP == pMap->nWID)
                 {
                     pDrop = static_cast<SwFormatDrop*>(rItem.Clone());   // because rItem is const...
diff --git a/sw/source/core/unocore/unoobj.cxx b/sw/source/core/unocore/unoobj.cxx
index 50e2289c0057..7983e3c1a9d5 100644
--- a/sw/source/core/unocore/unoobj.cxx
+++ b/sw/source/core/unocore/unoobj.cxx
@@ -414,9 +414,7 @@ lcl_setDropcapCharStyle(SwPaM & rPam, SfxItemSet & rItemSet,
     SwDocStyleSheet *const pStyle = static_cast<SwDocStyleSheet*>(
             pDoc->GetDocShell()
             ->GetStyleSheetPool()->Find(sStyle, SfxStyleFamily::Char));
-    if (!pStyle ||
-        (static_cast<SwDocStyleSheet*>(pStyle)->GetCharFormat() ==
-             pDoc->GetDfltCharFormat()))
+    if (!pStyle || pStyle->GetCharFormat() == pDoc->GetDfltCharFormat())
     {
         throw lang::IllegalArgumentException();
     }
diff --git a/sw/source/core/unocore/unostyle.cxx b/sw/source/core/unocore/unostyle.cxx
index 7d83d0b147f4..f9d3a06acbf2 100644
--- a/sw/source/core/unocore/unostyle.cxx
+++ b/sw/source/core/unocore/unostyle.cxx
@@ -1921,8 +1921,11 @@ void SwXStyle::SetPropertyValue<RES_PARATR_DROP>(const SfxItemPropertySimpleEntr
     OUString sStyle;
     SwStyleNameMapper::FillUIName(sValue, sStyle, SwGetPoolIdFromName::ChrFmt, true);
     auto pStyle(static_cast<SwDocStyleSheet*>(m_pDoc->GetDocShell()->GetStyleSheetPool()->Find(sStyle, SfxStyleFamily::Char)));
-    if(!pStyle)
+    //default character style must not be set as default format
+    if(!pStyle || pStyle->GetCharFormat() == m_pDoc->GetDfltCharFormat() )
+    {
         throw lang::IllegalArgumentException();
+    }
     pDrop->SetCharFormat(pStyle->GetCharFormat());
     rStyleSet.Put(*pDrop);
 }

More information about the Libreoffice-commits mailing list