[Libreoffice-commits] core.git: Branch 'libreoffice-6-2' - 2 commits - sw/source
Michael Stahl (via logerrit)
logerrit at kemper.freedesktop.org
Fri Jun 28 11:34:55 UTC 2019
sw/source/core/layout/calcmove.cxx | 16 ++++++++++++++--
sw/source/core/layout/paintfrm.cxx | 1 +
2 files changed, 15 insertions(+), 2 deletions(-)
New commits:
commit 4c993cd7c762b1fca9a674cd2bab7c0e95c78e74
Author: Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Jun 26 19:09:51 2019 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Fri Jun 28 13:34:30 2019 +0200
tdf#125751 sw: fix crash on formatting in SwLayoutFrame::PaintSwFrame()
It's less than ideal that the document is painted before being fully
formatted, but let's try to apply a band-aid...
0x6120001a97d0 is located 144 bytes inside of 280-byte region [0x6120001a9740,0x6120001a9858)
freed by thread T0 here:
#1 SwFootnoteFrame::~SwFootnoteFrame() /home/ms/lo/master/sw/source/core/inc/ftnfrm.hxx:64:7
#2 SwFrame::DestroyFrame(SwFrame*) sw/source/core/layout/ssfrm.cxx:389:9
#3 SwContentFrame::Cut() sw/source/core/layout/wsfrm.cxx:1263:25
#4 SwFlowFrame::MoveBwd(bool&) sw/source/core/layout/flowfrm.cxx:2544:17
#5 SwContentFrame::MakeAll(OutputDevice*) sw/source/core/layout/calcmove.cxx:1522:17
#6 SwFrame::PrepareMake(OutputDevice*) sw/source/core/layout/calcmove.cxx:366:5
#7 SwFrame::Calc(OutputDevice*) const sw/source/core/layout/trvlfrm.cxx:1791:37
#8 SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const sw/source/core/layout/paintfrm.cxx:3328:17
#9 SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const sw/source/core/layout/paintfrm.cxx:3406:21
#10 SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const sw/source/core/layout/paintfrm.cxx:3406:21
#11 SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const sw/source/core/layout/paintfrm.cxx:3116:24
#12 SwViewShell::Paint(OutputDevice&, tools::Rectangle const&) sw/source/core/view/viewsh.cxx:1840:34
(reportedly a regression from 18765b9fa739337d2d891513f6e2fb7c3ce23b50)
Change-Id: Iff5e783985c180b704b273fa26b7c498820640ac
Reviewed-on: https://gerrit.libreoffice.org/74749
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
(cherry picked from commit 49f971e9d0a88c9f23262445a17c9b5cecdb9167)
Reviewed-on: https://gerrit.libreoffice.org/74786
Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
diff --git a/sw/source/core/layout/paintfrm.cxx b/sw/source/core/layout/paintfrm.cxx
index de8d04311d64..d580e85f2354 100644
--- a/sw/source/core/layout/paintfrm.cxx
+++ b/sw/source/core/layout/paintfrm.cxx
@@ -3311,6 +3311,7 @@ void SwLayoutFrame::PaintSwFrame(vcl::RenderContext& rRenderContext, SwRect cons
if ( !pFrame )
return;
+ SwFrameDeleteGuard g(const_cast<SwLayoutFrame*>(this)); // lock because Calc() and recursion
SwShortCut aShortCut( *pFrame, rRect );
bool bCnt = pFrame->IsContentFrame();
if ( bCnt )
commit 8d0777d455e4a861d5b203d1e36d743d1432c1bd
Author: Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Jun 26 19:02:18 2019 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Fri Jun 28 13:34:18 2019 +0200
tdf#125751 sw: tweak assert in SwFrame::PrepareMake() a bit more
This fixes 2 cases of the assert that was added in commit
e14056e6e88d9b8d988b7b88b2776a8fc952031b
* tdf#125751 bugdoc would assert because on a page there were a bunch of
empty section frames preceding 2 SwTextFrames; the first SwTextFrame
moved backwards skipping over the empty section frames, hence the
second SwTextFrame is not the mpNext of the first one's follow
* writerfilter_null_ptr_deref.sample had a SwTextNode with >80k
characters; turns out there is a check in SwTextFrame::CalcFollow()
to format only up to 10 follow frames, so the result is 2 follow
frames on the same page
Change-Id: Ia08afd5a0e227d0613421d74b469c409ee91cfca
Reviewed-on: https://gerrit.libreoffice.org/74748
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
(cherry picked from commit f8e4845fec50affc20272600a4baf87554b055fb)
Reviewed-on: https://gerrit.libreoffice.org/74785
Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
diff --git a/sw/source/core/layout/calcmove.cxx b/sw/source/core/layout/calcmove.cxx
index 6e6c3e500543..1856e6b69d40 100644
--- a/sw/source/core/layout/calcmove.cxx
+++ b/sw/source/core/layout/calcmove.cxx
@@ -325,7 +325,13 @@ void SwFrame::PrepareMake(vcl::RenderContext* pRenderContext)
&& SwFlowFrame::CastFlowFrame(GetUpper()->Lower())
&& SwFlowFrame::CastFlowFrame(pFrame)->IsAnFollow(
SwFlowFrame::CastFlowFrame(GetUpper()->Lower()))
- && GetUpper()->Lower()->GetNext() == this));
+ && (GetUpper()->Lower()->GetNext() == this
+ // if it's more than 10 pages long...
+ || (SwFlowFrame::CastFlowFrame(GetUpper()->Lower())->GetFollow()
+ == SwFlowFrame::CastFlowFrame(GetUpper()->Lower()->GetNext())
+ && GetUpper()->Lower()->GetNext()->GetNext() == this)
+ // pre-existing empty section frames may end up between them...
+ || GetUpper()->Lower()->GetNext()->IsSctFrame())));
break; // tdf#119109 frame was moved backward, prevent
// FindNext() returning a frame inside this if
} // this is a table!
@@ -454,7 +460,13 @@ void SwFrame::PrepareCursor()
&& SwFlowFrame::CastFlowFrame(GetUpper()->Lower())
&& SwFlowFrame::CastFlowFrame(pFrame)->IsAnFollow(
SwFlowFrame::CastFlowFrame(GetUpper()->Lower()))
- && GetUpper()->Lower()->GetNext() == this));
+ && (GetUpper()->Lower()->GetNext() == this
+ // if it's more than 10 pages long...
+ || (SwFlowFrame::CastFlowFrame(GetUpper()->Lower())->GetFollow()
+ == SwFlowFrame::CastFlowFrame(GetUpper()->Lower()->GetNext())
+ && GetUpper()->Lower()->GetNext()->GetNext() == this)
+ // pre-existing empty section frames may end up between them...
+ || GetUpper()->Lower()->GetNext()->IsSctFrame())));
break; // tdf#119109 frame was moved backward, prevent
// FindNext() returning a frame inside this if
} // this is a table!
More information about the Libreoffice-commits
mailing list