[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - sw/qa sw/source
Miklos Vajna
vmiklos at collabora.co.uk
Tue Jan 16 20:56:04 UTC 2018
sw/qa/extras/uiwriter/data/tdf114536.odt |binary
sw/qa/extras/uiwriter/uiwriter.cxx | 9 +++++++++
sw/source/core/text/itrform2.cxx | 13 +++++++++++++
3 files changed, 22 insertions(+)
New commits:
commit 968348dfe3f151ee41163006e7748777a0379e65
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date: Mon Jan 15 22:29:31 2018 +0100
tdf#114536 sw: fix use-after-free in SwTextFormatter::MergeCharacterBorder()
SwTextFormatter::Underflow() truncated a line portion, which deletes the
rest of the line portions, but left m_pFirstOfBorderMerge unchanged,
leading to a crash when SwTextFormatter::MergeCharacterBorder() tried to
access it.
Fix the problem by updating the non-owning m_pFirstOfBorderMerge
accordingly when truncating the line portion.
(cherry picked from commit ecd855794b22c0f7e6fb2f362b566c4d9c5f624a)
Conflicts:
sw/qa/extras/uiwriter/uiwriter.cxx
Change-Id: I5e445bbe2424d70d60c363fa4e3a00636e282325
Reviewed-on: https://gerrit.libreoffice.org/47989
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sw/qa/extras/uiwriter/data/tdf114536.odt b/sw/qa/extras/uiwriter/data/tdf114536.odt
new file mode 100644
index 000000000000..4ad9c7f1f494
Binary files /dev/null and b/sw/qa/extras/uiwriter/data/tdf114536.odt differ
diff --git a/sw/qa/extras/uiwriter/uiwriter.cxx b/sw/qa/extras/uiwriter/uiwriter.cxx
index 0398e15e6ebe..a81d236d8277 100644
--- a/sw/qa/extras/uiwriter/uiwriter.cxx
+++ b/sw/qa/extras/uiwriter/uiwriter.cxx
@@ -288,6 +288,7 @@ public:
void testTdf99689TableOfTables();
void testTdf113790();
void testTdf114306();
+ void testTdf114536();
CPPUNIT_TEST_SUITE(SwUiWriterTest);
CPPUNIT_TEST(testReplaceForward);
@@ -457,6 +458,7 @@ public:
CPPUNIT_TEST(testTdf99689TableOfTables);
CPPUNIT_TEST(testTdf113790);
CPPUNIT_TEST(testTdf114306);
+ CPPUNIT_TEST(testTdf114536);
CPPUNIT_TEST_SUITE_END();
private:
@@ -5448,6 +5450,13 @@ void SwUiWriterTest::testSectionInTableInTable()
createDoc("tdf112109.fodt");
}
+void SwUiWriterTest::testTdf114536()
+{
+ // This crashed in SwTextFormatter::MergeCharacterBorder() due to a
+ // use after free.
+ createDoc("tdf114536.odt");
+}
+
void SwUiWriterTest::testSectionInTableInTable2()
{
createDoc("split-section-in-nested-table.fodt");
diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx
index d25fcc2ba0b1..730237e3b4d3 100644
--- a/sw/source/core/text/itrform2.cxx
+++ b/sw/source/core/text/itrform2.cxx
@@ -268,6 +268,19 @@ SwLinePortion *SwTextFormatter::Underflow( SwTextFormatInfo &rInf )
pPor = m_pCurr;
}
}
+
+ // Make sure that m_pFirstOfBorderMerge does not point to a portion which
+ // will be deleted by Truncate() below.
+ SwLinePortion* pNext = pPor->GetPortion();
+ while (pNext)
+ {
+ if (pNext == m_pFirstOfBorderMerge)
+ {
+ m_pFirstOfBorderMerge = nullptr;
+ break;
+ }
+ pNext = pNext->GetPortion();
+ }
pPor->Truncate();
SwLinePortion *const pRest( rInf.GetRest() );
if (pRest && pRest->InFieldGrp() &&
More information about the Libreoffice-commits
mailing list