[Libreoffice-commits] core.git: fpicker/source
Stephan Bergmann (via logerrit)
logerrit at kemper.freedesktop.org
Tue Aug 27 19:20:37 UTC 2019
fpicker/source/office/iodlg.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 83c004d9b85b920f9de21c429ef4495db45f12e0
Author: Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Tue Aug 27 16:41:39 2019 +0200
Commit: Stephan Bergmann <sbergman at redhat.com>
CommitDate: Tue Aug 27 21:18:44 2019 +0200
Fix ASan heap-use-after-free
...when opening a document via "File - Open..." with "Tools - Options... -
LibreOffice - General - Open/Save Dialogs - Use LibreOffice dialogs" enabled:
> ==7004==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700023a370 at pc 0x7f88c788db4a bp 0x7ffd8c7d0020 sp 0x7ffd8c7d0018
> READ of size 8 at 0x61700023a370 thread T0
> #0 in rtl::Reference<PlacesListBox>::get() const at include/rtl/ref.hxx:171:16
> #1 in VclPtr<PlacesListBox>::operator bool() const at include/vcl/vclptr.hxx:187:28
> #2 in CustomContainer::GetFocus() at fpicker/source/office/iodlg.cxx:433:39
> #3 in vcl::Window::CompatGetFocus() at vcl/source/window/window.cxx:3731:5
> #4 in vcl::Window::ImplGrabFocus(GetFocusFlags) at vcl/source/window/mouse.cxx:380:17
> #5 in vcl::Window::GrabFocus() at vcl/source/window/window.cxx:2991:5
> #6 in vcl::Window::dispose() at vcl/source/window/window.cxx:448:26
> #7 in Control::dispose() at vcl/source/control/ctrl.cxx:62:13
> #8 in SvtFileView::dispose() at svtools/source/contnr/fileview.cxx:879:14
[...]
> 0x61700023a370 is located 496 bytes inside of 648-byte region [0x61700023a180,0x61700023a408)
> freed by thread T0 here:
> #0 in operator delete(void*, unsigned long) at llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3
> #1 in std::default_delete<SvtExpFileDlg_Impl>::operator()(SvtExpFileDlg_Impl*) const at gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/10.0.0/../../../../include/c++/10.0.0/bits/unique_ptr.h:81:2
> #2 in std::__uniq_ptr_impl<SvtExpFileDlg_Impl, std::default_delete<SvtExpFileDlg_Impl> >::reset(SvtExpFileDlg_Impl*) at gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/10.0.0/../../../../include/c++/10.0.0/bits/unique_ptr.h:178:4
> #3 in std::unique_ptr<SvtExpFileDlg_Impl, std::default_delete<SvtExpFileDlg_Impl> >::reset(SvtExpFileDlg_Impl*) at gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/10.0.0/../../../../include/c++/10.0.0/bits/unique_ptr.h:444:7
> #4 in SvtFileDialog::dispose() at fpicker/source/office/iodlg.cxx:523:11
[...]
Change-Id: I022eac69123d87f75bda5067a672496030e1a8ec
Reviewed-on: https://gerrit.libreoffice.org/78199
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
diff --git a/fpicker/source/office/iodlg.cxx b/fpicker/source/office/iodlg.cxx
index f307abadbcdb..b8f587ca2a6a 100644
--- a/fpicker/source/office/iodlg.cxx
+++ b/fpicker/source/office/iodlg.cxx
@@ -520,8 +520,8 @@ void SvtFileDialog::dispose()
batch->commit();
}
- pImpl.reset();
_pFileView.disposeAndClear();
+ pImpl.reset();
_pSplitter.disposeAndClear();
_pContainer.disposeAndClear();
_pPrevBmp.disposeAndClear();
More information about the Libreoffice-commits
mailing list