[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - sc/source

Caolán McNamara caolanm at redhat.com
Fri Nov 3 09:46:47 UTC 2017 

 sc/source/filter/rtf/rtfparse.cxx |    2 ++
 1 file changed, 2 insertions(+)

New commits:
commit 82173efd8e639f387c87763a069ddad643b447d6
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Nov 2 16:48:10 2017 +0000

    crash on loading tdf77861-3.rtf in calc rtf filter
    
    pActDefault is either pInsDefault or a member of maDefaultList,
    so clear it if its not pInsDefault at this location
    
     ScRTFParser::ProcToken(RtfImportInfo*) (rtfparse.cxx:332)
     ScRTFParser::RTFImportHdl(RtfImportInfo&) (rtfparse.cxx:160)
     ScRTFParser::LinkStubRTFImportHdl(void*, RtfImportInfo&) (rtfparse.cxx:155)
     Link<RtfImportInfo&, void>::Call(RtfImportInfo&) const (link.hxx:84)
     EditEngine::CallRtfImportHandler(RtfImportInfo&) (editeng.cxx:2770)
     EditRTFParser::NextToken(int) (eertfpar.cxx:231)
     SvRTFParser::Continue(int) (parrtf.cxx:643)
     SvxRTFParser::Continue(int) (svxrtf.cxx:128)
     SvRTFParser::CallParser() (parrtf.cxx:574)
     SvxRTFParser::CallParser() (svxrtf.cxx:123)
     EditRTFParser::CallParser() (eertfpar.cxx:112)
     ImpEditEngine::ReadRTF(SvStream&, EditSelection) (impedit4.cxx:161)
    Address is 52 bytes inside a block of size 56 free'd
     std::default_delete<ScRTFCellDefault>::operator()(ScRTFCellDefault*) const (unique_ptr.h:76)
     std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >::~unique_ptr() (unique_ptr.h:239)
     void std::_Destroy<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> > >(std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*) (stl_construct.h:93)
     void std::_Destroy_aux<false>::__destroy<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*>(std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*, std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*) (stl_construct.h:103)
     void std::_Destroy<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*>(std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*, std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*) (stl_construct.h:126)
     void std::_Destroy<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*, std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> > >(std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*, std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*, std::allocator<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> > >&) (stl_construct.h:151)
     std::__cxx1998::vector<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >, std::allocator<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> > > >::_M_erase_at_end(std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >*) (stl_vector.h:1436)
     std::__cxx1998::vector<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >, std::allocator<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> > > >::clear() (stl_vector.h:1210)
     std::__debug::vector<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> >, std::allocator<std::unique_ptr<ScRTFCellDefault, std::default_delete<ScRTFCellDefault> > > >::clear() (vector:690)
     ScRTFParser::ProcToken(RtfImportInfo*) (rtfparse.cxx:274)
     ScRTFParser::RTFImportHdl(RtfImportInfo&) (rtfparse.cxx:160)
    
    Change-Id: I36624a76ddb01f0d26d38f708af6b910384ad7fd
    Reviewed-on: https://gerrit.libreoffice.org/44226
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    Tested-by: Michael Stahl <mstahl at redhat.com>

diff --git a/sc/source/filter/rtf/rtfparse.cxx b/sc/source/filter/rtf/rtfparse.cxx
index d5262fd13a16..00c207174ae6 100644
--- a/sc/source/filter/rtf/rtfparse.cxx
+++ b/sc/source/filter/rtf/rtfparse.cxx
@@ -272,6 +272,8 @@ void ScRTFParser::ProcToken( RtfImportInfo* pInfo )
                 nLastWidth = maDefaultList.back()->nTwips;
 
             nColCnt = 0;
+            if (pActDefault != pInsDefault)
+                pActDefault = nullptr;
             maDefaultList.clear();
             pDefMerge = nullptr;
             nRtfLastToken = pInfo->nToken;

More information about the Libreoffice-commits mailing list