diff options
| author | Michael Stahl <mstahl@redhat.com> | 2016-11-24 14:18:05 +0100 |
|---|---|---|
| committer | Michael Stahl <mstahl@redhat.com> | 2016-11-24 22:56:32 +0100 |
| commit | cbdf4e007650cfda4f7808402e8e24ae66d45792 (patch) | |
| tree | f5c202c4afe8b8eab491f3e1b65b46ea97eeb353 | |
| parent | c2c4c6ee16120108590dc64f295ab54e34a05ac0 (diff) | |
tdf#103788 sw: fix use-after-free in navigator dialog
The problem is that if SwContentTree::HasContentChanged() returns true,
it may have deleted the SwTypeNumber instances that are referenced in
SvTreeListEntry::pUserData, but it has not reset pUserData so those
pointers are now used to acceess deleted objects.
Also it looks like the HasContentChanged() detects additional conditions
that would not cause a modified event from the document but should still
cause a repaint, such as when the user moves the cursor between
headings.
Revert the optimization, it was a stupid idea.
(regression from 329742e6c9da7cd7848d92a6846e3d1249d8d9b4)
Change-Id: Idb5207e896b0638324fc41b7c214536be4ba864b
| -rw-r--r-- | sw/source/uibase/inc/conttree.hxx | 1 | ||||
| -rw-r--r-- | sw/source/uibase/utlui/content.cxx | 16 |
2 files changed, 2 insertions, 15 deletions
diff --git a/sw/source/uibase/inc/conttree.hxx b/sw/source/uibase/inc/conttree.hxx index 525d11fe4fd2..4dd2bf4db31a 100644 --- a/sw/source/uibase/inc/conttree.hxx +++ b/sw/source/uibase/inc/conttree.hxx @@ -96,7 +96,6 @@ class SwContentTree bool m_bIsOutlineMoveable :1; bool m_bViewHasChanged :1; bool m_bIsImageListInitialized : 1; - bool m_bActiveDocModified :1; static bool bIsInDrag; diff --git a/sw/source/uibase/utlui/content.cxx b/sw/source/uibase/utlui/content.cxx index cde5b2292393..971e4a4b9677 100644 --- a/sw/source/uibase/utlui/content.cxx +++ b/sw/source/uibase/utlui/content.cxx @@ -800,7 +800,6 @@ SwContentTree::SwContentTree(vcl::Window* pParent, SwNavigationPI* pDialog) , m_bIsOutlineMoveable(true) , m_bViewHasChanged(false) , m_bIsImageListInitialized(false) - , m_bActiveDocModified(false) , m_bIsKeySpace(false) { SetHelpId(HID_NAVIGATOR_TREELIST); @@ -1726,8 +1725,6 @@ void SwContentTree::Display( bool bActive ) sal_Int32 nDelta = pVScroll->GetThumbPos() - nOldScrollPos; ScrollOutputArea( (short)nDelta ); } - - m_bActiveDocModified = false; } void SwContentTree::Clear() @@ -2227,12 +2224,6 @@ void SwContentTree::SetConstantShell(SwWrtShell* pSh) void SwContentTree::Notify(SfxBroadcaster & rBC, SfxHint const& rHint) { - if (SFX_HINT_DOCCHANGED == rHint.GetId()) - { - m_bActiveDocModified = true; - return; - } - SfxViewEventHint const*const pVEHint(dynamic_cast<SfxViewEventHint const*>(&rHint)); SwXTextView* pDyingShell = nullptr; if (m_pActiveShell && pVEHint && pVEHint->GetEventName() == "OnViewClosed") @@ -2447,11 +2438,8 @@ IMPL_LINK_NOARG(SwContentTree, TimerUpdate, Timer *, void) else if( (m_bIsActive || (m_bIsConstant && pActShell == GetWrtShell())) && HasContentChanged()) { - if (!m_bIsActive || m_bActiveDocModified) - { // don't burn cpu and redraw and flicker if not modified - FindActiveTypeAndRemoveUserData(); - Display(true); - } + FindActiveTypeAndRemoveUserData(); + Display(true); } } else if(!pView && m_bIsActive && !m_bIsIdleClear) |