[Libreoffice-commits] core.git: filter/source

[Stephan Bergmann]

 filter/source/msfilter/escherex.cxx |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

New commits:
commit c75705b2306d3fd41e71eb4613773b62bdaa9ca5
Author: Stephan Bergmann <sbergman at redhat.com>
Date:   Wed Mar 21 18:01:50 2018 +0100

    Fix lifetime of referenced-by-reference EnhancedCustomShape2d
    
    ...that is created as argument to
    EnhancedCustomShape::FunctionParser::parseFunction (and referenced from data
    reachable from aExpressNode), but still referenced during following
    aExpressNode->fillNode call.  Reintroduce the aCustoShape2d variable that had
    been removed with 86c4672f4600daf19238ef25377406f445d9453a "OperationSmiley:
    Secured quite some places using CustomShape", causing the regression that in
    UBSan builds e.g. CppunitTest_sc_subsequent_export_test would fail with
    
    > /svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx:261:57: runtime error: member call on address 0x2b1295491180 which does not point to an object of type 'EnhancedCustomShape2d'
    > 0x2b1295491180: note: object is of type 'SfxItemSet'
    >  1a 04 00 01  10 99 42 cb 12 2b 00 00  10 2d 8f 00 40 60 00 00  00 00 00 00 00 00 00 00  00 00 00 00
    >               ^~~~~~~~~~~~~~~~~~~~~~~
    >               vptr for 'SfxItemSet'
    >     #0 0x2b131efeb12d in (anonymous namespace)::EnumValueExpression::fillNode(std::__debug::vector<EnhancedCustomShapeEquation, std::allocator<EnhancedCustomShapeEquation> >&, EnhancedCustomShape::ExpressionNode*, unsigned int) /svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx:261:57
    >     #1 0x2b131f01f061 in (anonymous namespace)::BinaryFunctionExpression::fillNode(std::__debug::vector<EnhancedCustomShapeEquation, std::allocator<EnhancedCustomShapeEquation> >&, EnhancedCustomShape::ExpressionNode*, unsigned int) /svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx:632:40
    >     #2 0x2b12e0915a5c in ConvertEnhancedCustomShapeEquation(SdrObjCustomShape const&, std::__debug::vector<EnhancedCustomShapeEquation, std::allocator<EnhancedCustomShapeEquation> >&, std::__debug::vector<int, std::allocator<int> >&) /filter/source/msfilter/escherex.cxx:2426:62
    [...]
    
    when accessing the already-dead EnhancedCustomShape2d object.
    
    Change-Id: I8f3e598f81e8e01e2505483437025ddd4cee2ec9

diff --git a/filter/source/msfilter/escherex.cxx b/filter/source/msfilter/escherex.cxx
index 57b18c443f15..0eb9efe66e86 100644
--- a/filter/source/msfilter/escherex.cxx
+++ b/filter/source/msfilter/escherex.cxx
@@ -2416,12 +2416,13 @@ void ConvertEnhancedCustomShapeEquation(
         sal_Int32 i;
         for ( i = 0; i < nEquationSourceCount; i++ )
         {
+            EnhancedCustomShape2d aCustoShape2d(
+                const_cast< SdrObjCustomShape& >(rSdrObjCustomShape));
             try
             {
                 std::shared_ptr< EnhancedCustomShape::ExpressionNode > aExpressNode(
                     EnhancedCustomShape::FunctionParser::parseFunction(
-                        sEquationSource[ i ],
-                        const_cast< SdrObjCustomShape& >(rSdrObjCustomShape)));
+                        sEquationSource[ i ], aCustoShape2d));
                 drawing::EnhancedCustomShapeParameter aPara( aExpressNode->fillNode( rEquations, nullptr, 0 ) );
                 if ( aPara.Type != drawing::EnhancedCustomShapeParameterType::EQUATION )
                 {