[Libreoffice-commits] core.git: sw/source
Michael Stahl (via logerrit)
logerrit at kemper.freedesktop.org
Mon Jan 18 18:18:25 UTC 2021
sw/source/core/crsr/crsrsh.cxx | 4 ++++
1 file changed, 4 insertions(+)
New commits:
commit 43fbe2fbd6a65fa63fa819c6778c3378c2ff6e1f
Author: Michael Stahl <michael.stahl at allotropia.de>
AuthorDate: Mon Jan 18 12:35:12 2021 +0100
Commit: Stephan Bergmann <sbergman at redhat.com>
CommitDate: Mon Jan 18 19:17:39 2021 +0100
sw: fix ASAN use-after-free in testTdf39721
The problem is that the cursor is positioned somehow on an SwEndNode.
Then lcl_CursorOk(pNew) is false and it gets deleted immediately.
Change-Id: I1789280a5116da4e5b7739e311b18c5c54074b1f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109541
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
diff --git a/sw/source/core/crsr/crsrsh.cxx b/sw/source/core/crsr/crsrsh.cxx
index 88513297d535..e02b02b9c187 100644
--- a/sw/source/core/crsr/crsrsh.cxx
+++ b/sw/source/core/crsr/crsrsh.cxx
@@ -125,6 +125,10 @@ SwPaM * SwCursorShell::CreateCursor()
// don't create new Cursor with active table Selection
assert(!IsTableMode());
+ // ensure that m_pCurrentCursor is valid; if it's invalid it would be
+ // copied to pNew and then pNew would be deleted in UpdateCursor() below
+ ClearUpCursors();
+
// New cursor as copy of current one. Add to the ring.
// Links point to previously created one, ie forward.
SwShellCursor* pNew = new SwShellCursor( *m_pCurrentCursor );
More information about the Libreoffice-commits
mailing list