[Libreoffice-commits] core.git: sw/source

Miklos Vajna (via logerrit) logerrit at kemper.freedesktop.org
Tue Mar 31 14:46:47 UTC 2020 

 sw/source/core/layout/layact.cxx |   11 +++++++++++
 1 file changed, 11 insertions(+)

New commits:
commit 10036bd52e094b5c9b02ff5142829f0825a20571
Author:     Miklos Vajna <vmiklos at collabora.com>
AuthorDate: Tue Mar 31 15:10:52 2020 +0200
Commit:     Miklos Vajna <vmiklos at collabora.com>
CommitDate: Tue Mar 31 16:46:10 2020 +0200

    sw: fix use-after-free when moving multiple tables to a previous page
    
    Regression from commit e4da634b983052f300cd0e9b2bbaa60eb02c1b28 (sw: fix
    moving more than 20 table frames to a previous page, 2020-03-30), asan
    found a heap-use-after-free during CppunitTest_sw_ooxmlexport5
    CPPUNIT_TEST_NAME=testOldComplexMergeTableInTable, the follow frame is
    deleted like this:
    
     #1 in SwTabFrame::~SwTabFrame() at sw/source/core/layout/tabfrm.cxx:145:1 (instdir/program/libswlo.so +0xec98ba5)
     #2 in SwFrame::DestroyFrame(SwFrame*) at sw/source/core/layout/ssfrm.cxx:389:9 (instdir/program/libswlo.so +0xec8495f)
     #3 in SwTabFrame::Join() at sw/source/core/layout/tabfrm.cxx:1390:9 (instdir/program/libswlo.so +0xecb6088)
     #4 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:1865:9 (instdir/program/libswlo.so +0xecbc1f6)
     #5 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:370:5 (instdir/program/libswlo.so +0xe519919)
     #6 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1789:37 (instdir/program/libswlo.so +0xed8424e)
     #7 in SwLayAction::FormatLayoutTab(SwTabFrame*, bool) at sw/source/core/layout/layact.cxx:1485:15 (instdir/program/libswlo.so +0xe897ea9)
    
    Fix the problem by not moving multiple tables to a previous page in one
    iteration when the table is a follow one.
    
    Change-Id: I443240b6153b74d6def97140c516d7cf7a2d35e4
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91425
    Reviewed-by: Miklos Vajna <vmiklos at collabora.com>
    Tested-by: Jenkins

diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx
index c4c5dc92c225..bf73d951705a 100644
--- a/sw/source/core/layout/layact.cxx
+++ b/sw/source/core/layout/layact.cxx
@@ -1370,6 +1370,17 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa
                 // page, in which case it looses its next.
                 pNext = pLow->GetNext();
 
+                if (pNext && pNext->IsTabFrame())
+                {
+                    auto pTab = static_cast<SwTabFrame*>(pNext);
+                    if (pTab->IsFollow())
+                    {
+                        // The next frame is a follow of the previous frame, SwTabFrame::Join() will
+                        // delete this one as part of formatting, so forget about it.
+                        pNext = nullptr;
+                    }
+                }
+
                 bTabChanged |= FormatLayoutTab( static_cast<SwTabFrame*>(pLow), bAddRect );
                 --m_nTabLevel;
             }

More information about the Libreoffice-commits mailing list