[Libreoffice-commits] core.git: Branch 'distro/collabora/cp-6.2' - sw/source

Michael Stahl (via logerrit) logerrit at kemper.freedesktop.org
Mon Aug 5 07:56:41 UTC 2019 

 sw/source/core/layout/fly.cxx   |    2 ++
 sw/source/core/layout/ssfrm.cxx |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

New commits:
commit b7ce5fce07db79af245dcca6c48d78c170487acb
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Thu Jul 18 14:07:06 2019 +0200
Commit:     Andras Timar <andras.timar at collabora.com>
CommitDate: Mon Aug 5 09:56:07 2019 +0200

    sw: fix use after free on tdf117215-1.odt
    
    Move the fix from 6d0ea082889c89eb8b408779f2de08da7441ff54 to
    SwFlyFrame::DestroyImpl() so we unregister every SwFlyFrame.
    
    ==1550==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000383f56 at pc 0x7efcd70d5ab9 bp 0x7ffeb7ac7c40 sp 0x7ffeb7ac7c38
    WRITE of size 1 at 0x615000383f56 thread T0
        0 SwAnchoredObject::SetTmpConsiderWrapInfluence(bool) sw/source/core/layout/anchoredobject.cxx:743:32
        1 SwObjsMarkedAsTmpConsiderWrapInfluence::Clear() sw/source/core/layout/objstmpconsiderwrapinfl.cxx:53:23
        2 SwLayouter::ClearObjsTmpConsiderWrapInfluence(SwDoc const&) sw/source/core/layout/layouter.cxx:387:84
        3 sw::DocumentLayoutManager::ClearSwLayouterEntries() sw/source/core/doc/DocumentLayoutManager.cxx:497:5
        4 sw::DocumentStateManager::SetModified() sw/source/core/doc/DocumentStateManager.cxx:45:39
        5 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3942:36
    
    0x615000383f56 is located 342 bytes inside of 504-byte region [0x615000383e00,0x615000383ff8)
    freed by thread T0 here:
        1 SwFlyAtContentFrame::~SwFlyAtContentFrame() sw/source/core/inc/flyfrms.hxx:159:7
        2 SwFrame::DestroyFrame(SwFrame*) sw/source/core/layout/ssfrm.cxx:389:9
        3 SwFrameFormat::DelFrames() sw/source/core/layout/atrfrm.cxx:2624:17
        4 SwUndoFlyBase::DelFly(SwDoc*) sw/source/core/undo/undobj1.cxx:161:19
        5 SwUndoDelLayFormat::SwUndoDelLayFormat(SwFrameFormat*) sw/source/core/undo/undobj1.cxx:403:5
        6 SwHistoryTextFlyCnt::SwHistoryTextFlyCnt(SwFrameFormat*) sw/source/core/undo/rolbck.cxx:538:20
        7 SwHistory::Add(SwFlyFrameFormat&, unsigned short&) sw/source/core/undo/rolbck.cxx:1083:50
        8 SwUndoSaveContent::DelContentIndex(SwPosition const&, SwPosition const&, DelContentType) sw/source/core/undo/undobj.cxx:1020:39
        9 SwUndoDelete::SwUndoDelete(SwPaM&, bool, bool) sw/source/core/undo/undel.cxx:229:9
        11 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3939:55
    
    Change-Id: Ia0c28c9d5792615cbb566e502374efd0f4056daf
    Reviewed-on: https://gerrit.libreoffice.org/75857
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
    (cherry picked from commit dea72ef111ee8a0b1b178f8cd48757514d5ca831)
    Reviewed-on: https://gerrit.libreoffice.org/75941
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit 4b9324b93dcbd72c8c8949309d45790dd8f7d5fd)
    Reviewed-on: https://gerrit.libreoffice.org/76936
    Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice at gmail.com>
    Reviewed-by: Andras Timar <andras.timar at collabora.com>

diff --git a/sw/source/core/layout/fly.cxx b/sw/source/core/layout/fly.cxx
index a96532f5da55..8953d9f07d00 100644
--- a/sw/source/core/layout/fly.cxx
+++ b/sw/source/core/layout/fly.cxx
@@ -277,6 +277,8 @@ void SwFlyFrame::DestroyImpl()
 
     if( GetFormat() && !GetFormat()->GetDoc()->IsInDtor() )
     {
+        ClearTmpConsiderWrapInfluence(); // remove this from SwLayouter
+
         // OD 2004-01-19 #110582#
         Unchain();
 
diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx
index e1c8ec770646..ab8ed0a8fb5a 100644
--- a/sw/source/core/layout/ssfrm.cxx
+++ b/sw/source/core/layout/ssfrm.cxx
@@ -493,7 +493,6 @@ void SwLayoutFrame::DestroyImpl()
                 const size_t nCnt = pFrame->GetDrawObjs()->size();
                 // #i28701#
                 SwAnchoredObject* pAnchoredObj = (*pFrame->GetDrawObjs())[0];
-                pAnchoredObj->ClearTmpConsiderWrapInfluence();
                 if (SwFlyFrame* pFlyFrame = dynamic_cast<SwFlyFrame*>(pAnchoredObj))
                 {
                     SwFrame::DestroyFrame(pFlyFrame);
@@ -501,6 +500,7 @@ void SwLayoutFrame::DestroyImpl()
                 }
                 else
                 {
+                    pAnchoredObj->ClearTmpConsiderWrapInfluence();
                     SdrObject* pSdrObj = pAnchoredObj->DrawObj();
                     SwDrawContact* pContact =
                             static_cast<SwDrawContact*>(pSdrObj->GetUserCall());

More information about the Libreoffice-commits mailing list