[Libreoffice-commits] core.git: svx/source

Miklos Vajna (via logerrit) logerrit at kemper.freedesktop.org
Fri Jan 3 17:34:54 UTC 2020 

 svx/source/sidebar/possize/PosSizePropertyPanel.cxx |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit 4ace93b8295c13907c7ef649b125f049332853e1
Author:     Miklos Vajna <vmiklos at collabora.com>
AuthorDate: Fri Jan 3 14:54:22 2020 +0100
Commit:     Miklos Vajna <vmiklos at collabora.com>
CommitDate: Fri Jan 3 18:34:21 2020 +0100

    svx: fix heap-use-after-free in PosSizePropertyPanel
    
    How to reproduce: start Draw, add a shape, expand the "position and
    size" property panel on the sidebar, quit -> boom
    
    Asan reports:
    
    ==27725==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000aa60c0 at pc 0x0000004a5d34 bp 0x7ffd28584a30 sp 0x7ffd285841e0
    WRITE of size 40 at 0x616000aa60c0 thread T0
        #0 0x4a5d33 in __asan_memcpy lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22
        #1 0x7f18a3b304c7 in weld::Toolbar::connect_clicked(Link<rtl::OString const&, void> const&) /include/vcl/weld.hxx:1990:81
        #2 0x7f18a3b2fece in ToolbarUnoDispatcher::dispose() /sfx2/source/toolbox/weldutils.cxx:129:17
        #3 0x7f18a3b30144 in ToolbarUnoDispatcher::~ToolbarUnoDispatcher() /sfx2/source/toolbox/weldutils.cxx:133:49
        #4 0x7f189b921f95 in std::default_delete<ToolbarUnoDispatcher>::operator()(ToolbarUnoDispatcher*) const lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:78:2
        #5 0x7f189b91adf9 in std::unique_ptr<ToolbarUnoDispatcher, std::default_delete<ToolbarUnoDispatcher> >::reset(ToolbarUnoDispatcher*) lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:376:4
        #6 0x7f189b8ef552 in svx::sidebar::PosSizePropertyPanel::dispose() /svx/source/sidebar/possize/PosSizePropertyPanel.cxx:149:23
    
    ...
    
    freed by thread T0 here:
        #0 0x4eb440 in operator delete(void*) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_new_delete.cc:166
        #1 0x7f18806064f0 in (anonymous namespace)::SalInstanceToolbar::~SalInstanceToolbar() /vcl/source/app/salvtables.cxx:1123:5
        #2 0x7f189ac45321 in std::default_delete<weld::Toolbar>::operator()(weld::Toolbar*) const lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:78:2
        #3 0x7f189b91b0e9 in std::unique_ptr<weld::Toolbar, std::default_delete<weld::Toolbar> >::reset(weld::Toolbar*) lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:376:4
        #4 0x7f189b8ef46d in svx::sidebar::PosSizePropertyPanel::dispose() /svx/source/sidebar/possize/PosSizePropertyPanel.cxx:148:18
    
    I.e. it's important to delete mxArrangeDispatch before mxArrangeTbx,
    since the dispatch has a reference to the toolbox.
    
    Change-Id: Ief294b492bc3778b0d39650a5642d21fa1db66f0
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86177
    Reviewed-by: Miklos Vajna <vmiklos at collabora.com>
    Tested-by: Jenkins

diff --git a/svx/source/sidebar/possize/PosSizePropertyPanel.cxx b/svx/source/sidebar/possize/PosSizePropertyPanel.cxx
index 625769a28f84..681a6db6284c 100644
--- a/svx/source/sidebar/possize/PosSizePropertyPanel.cxx
+++ b/svx/source/sidebar/possize/PosSizePropertyPanel.cxx
@@ -144,8 +144,8 @@ void PosSizePropertyPanel::dispose()
     mxFtFlip.reset();
     mxFlipDispatch.reset();
     mxFlipTbx.reset();
-    mxArrangeTbx.reset();
     mxArrangeDispatch.reset();
+    mxArrangeTbx.reset();
     mxBtnEditChart.reset();
 
     maTransfPosXControl.dispose();

More information about the Libreoffice-commits mailing list