[Libreoffice-commits] core.git: include/o3tl svx/source

Caolán McNamara caolanm at redhat.com
Mon Feb 19 14:23:59 UTC 2018 

 include/o3tl/deleter.hxx             |   10 ++++++++++
 svx/source/svdraw/svdobj.cxx         |    3 ++-
 svx/source/svdraw/svdobjplusdata.cxx |    8 ++------
 3 files changed, 14 insertions(+), 7 deletions(-)

New commits:
commit b99af181a40b464218434e8cf4167cb69c4383df
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Feb 19 12:39:46 2018 +0000

    ofz#6432 bad-cast
    
    ofz#6433 head-use-after-free
    ofz#6435 bad-cast
    
    Change-Id: Ic43edbab68d96e852039c3247853074180fd5091
    Reviewed-on: https://gerrit.libreoffice.org/49984
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/include/o3tl/deleter.hxx b/include/o3tl/deleter.hxx
index 5b5e67929a15..af06ffa1267c 100644
--- a/include/o3tl/deleter.hxx
+++ b/include/o3tl/deleter.hxx
@@ -43,6 +43,16 @@ template<typename T> struct default_delete
     }
 };
 
+template<typename uniqueptr> void reset_preserve_ptr_during(uniqueptr& ptr)
+{
+    // HACK: for the case where the dtor of the obj held by ptr will trigger
+    // functions which expect ptr to still be set during the dtor.
+    // e.g. SdrObject::GetBroadcaster() is called during the destructor
+    // in SdrEdgeObj::Notify(). So delete first, then clear the pointer
+    delete ptr.get();
+    (void)ptr.release();
+}
+
 }
 
 #endif
diff --git a/svx/source/svdraw/svdobj.cxx b/svx/source/svdraw/svdobj.cxx
index 7daf499746de..612f01ab4d1f 100644
--- a/svx/source/svdraw/svdobj.cxx
+++ b/svx/source/svdraw/svdobj.cxx
@@ -39,6 +39,7 @@
 #include <editeng/editeng.hxx>
 #include <editeng/eeitem.hxx>
 #include <editeng/outlobj.hxx>
+#include <o3tl/deleter.hxx>
 #include <math.h>
 #include <sfx2/objface.hxx>
 #include <sfx2/objsh.hxx>
@@ -358,7 +359,7 @@ SdrObject::~SdrObject()
     }
 
     SendUserCall(SdrUserCallType::Delete, GetLastBoundRect());
-    pPlusData.reset();
+    o3tl::reset_preserve_ptr_during(pPlusData);
 
     pGrabBagItem.reset();
     mpProperties.reset();
diff --git a/svx/source/svdraw/svdobjplusdata.cxx b/svx/source/svdraw/svdobjplusdata.cxx
index c7a74a5cc4c9..ee7a801cd8e4 100644
--- a/svx/source/svdraw/svdobjplusdata.cxx
+++ b/svx/source/svdraw/svdobjplusdata.cxx
@@ -9,9 +9,8 @@
 
 #include <svdobjplusdata.hxx>
 #include <svdobjuserdatalist.hxx>
-
+#include <o3tl/deleter.hxx>
 #include <svx/svdglue.hxx>
-
 #include <svl/SfxBroadcaster.hxx>
 #include <vcl/outdev.hxx>
 
@@ -24,10 +23,7 @@ SdrObjPlusData::SdrObjPlusData():
 
 SdrObjPlusData::~SdrObjPlusData()
 {
-    // HACK: the SdrObject::GetBroadcaster() is called during the destructor
-    // in SdrEdgeObj::Notify() so delete first, then clear the pointer
-    delete pBroadcast.get();
-    (void) pBroadcast.release();
+    o3tl::reset_preserve_ptr_during(pBroadcast);
     pUserDataList.reset();
     pGluePoints.reset();
 }

More information about the Libreoffice-commits mailing list