diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2021-10-11 11:23:45 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2021-10-11 14:41:45 +0200 |
| commit | dc328fdfa709929377de2be5f86f2e811a5eaa21 (patch) | |
| tree | a3653ab423e3c030d9f8e71df7fa1b66a2286547 | |
| parent | 4f5b3e4bd53d6d61df1f65f496f7bc8dc525c8a1 (diff) | |
valgrind: use after free on applying "default character" character style
seen in writer in fresh document, type some text, right click for
context menu, select "character" submenu, and select "default character"
==3296268== Invalid write of size 8
==3296268== at 0x3E6EDE34: SwpHints::Register(SwRegHistory*) (ndhints.hxx:195)
==3296268== by 0x3E6EDE88: SwpHints::DeRegister() (ndhints.hxx:197)
==3296268== by 0x3E747E06: (anonymous namespace)::lcl_InsAttr(SwDoc&, SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*, SwTextAttr**) (DocumentContentOperationsManager.cxx:1930)
==3296268== by 0x3E74449F: sw::DocumentContentOperationsManager::InsertPoolItem(SwPaM const&, SfxPoolItem const&, SetAttrMode, SwRootFrame const*, SwTextAttr**) (DocumentContentOperationsManager.cxx:3505)
==3296268== by 0x3E9F3F12: SwEditShell::SetAttrItem(SfxPoolItem const&, SetAttrMode, bool) (edatmisc.cxx:145)
==3296268== by 0x3F6F860F: SwDocShell::ApplyStyles(rtl::OUString const&, SfxStyleFamily, SwWrtShell*, unsigned short) (docst.cxx:1154)
==3296268== by 0x3F6F5F94: SwDocShell::ExecStyleSheet(SfxRequest&) (docst.cxx:505)
==3296268== by 0x3F983994: SwBaseShell::Execute(SfxRequest&) (basesh.cxx:1071)
==3296268== by 0x3F981744: SfxStubSwBaseShellExecute(SfxShell*, SfxRequest&) (swslots.hxx:2180)
==3296268== Address 0x4576dd00 is 176 bytes inside a block of size 192 free'd
==3296268== at 0x4843669: operator delete(void*) (vg_replace_malloc.c:802)
==3296268== by 0x3E76A3C3: std::default_delete<SwpHints>::operator()(SwpHints*) const (unique_ptr.h:85)
==3296268== by 0x3E76A31F: std::__uniq_ptr_impl<SwpHints, std::default_delete<SwpHints> >::reset(SwpHints*) (unique_ptr.h:182)
==3296268== by 0x3E76A279: std::unique_ptr<SwpHints, std::default_delete<SwpHints> >::reset(SwpHints*) (unique_ptr.h:456)
==3296268== by 0x3EFE14C5: SwTextNode::TryDeleteSwpHints() (ndtxt.hxx:846)
==3296268== by 0x3F028AB2: SwTextNode::RstTextAttr(SwIndex const&, int, unsigned short, SfxItemSet const*, bool, bool) (txtedt.cxx:631)
==3296268== by 0x3F003D77: SwTextNode::SetAttr(SfxItemSet const&, int, int, SetAttrMode, SwTextAttr**) (thints.cxx:1908)
==3296268== by 0x3E747DE7: (anonymous namespace)::lcl_InsAttr(SwDoc&, SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*, SwTextAttr**) (DocumentContentOperationsManager.cxx:1928)
==3296268== by 0x3E74449F: sw::DocumentContentOperationsManager::InsertPoolItem(SwPaM const&, SfxPoolItem const&, SetAttrMode, SwRootFrame const*, SwTextAttr**) (DocumentContentOperationsManager.cxx:3505)
==3296268== by 0x3E9F3F12: SwEditShell::SetAttrItem(SfxPoolItem const&, SetAttrMode, bool) (edatmisc.cxx:145)
==3296268== by 0x3F6F860F: SwDocShell::ApplyStyles(rtl::OUString const&, SfxStyleFamily, SwWrtShell*, unsigned short) (docst.cxx:1154)
==3296268== by 0x3F6F5F94: SwDocShell::ExecStyleSheet(SfxRequest&) (docst.cxx:505)
==3296268== by 0x3F983994: SwBaseShell::Execute(SfxRequest&) (basesh.cxx:1071)
==3296268== by 0x3F981744: SfxStubSwBaseShellExecute(SfxShell*, SfxRequest&) (swslots.hxx:2180)
==3296268== Block was alloc'd at
==3296268== at 0x4840FF5: operator new(unsigned long) (vg_replace_malloc.c:417)
==3296268== by 0x3E76988F: SwTextNode::GetOrCreateSwpHints() (ndtxt.hxx:837)
==3296268== by 0x3E747D0F: (anonymous namespace)::lcl_InsAttr(SwDoc&, SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*, SwTextAttr**) (DocumentContentOperationsManager.cxx:1923)
==3296268== by 0x3E74449F: sw::DocumentContentOperationsManager::InsertPoolItem(SwPaM const&, SfxPoolItem const&, SetAttrMode, SwRootFrame const*, SwTextAttr**) (DocumentContentOperationsManager.cxx:3505)
==3296268== by 0x3E9F3F12: SwEditShell::SetAttrItem(SfxPoolItem const&, SetAttrMode, bool) (edatmisc.cxx:145)
==3296268== by 0x3F6F860F: SwDocShell::ApplyStyles(rtl::OUString const&, SfxStyleFamily, SwWrtShell*, unsigned short) (docst.cxx:1154)
==3296268== by 0x3F6F5F94: SwDocShell::ExecStyleSheet(SfxRequest&) (docst.cxx:505)
==3296268== by 0x3F983994: SwBaseShell::Execute(SfxRequest&) (basesh.cxx:1071)
==3296268== by 0x3F981744: SfxStubSwBaseShellExecute(SfxShell*, SfxRequest&) (swslots.hxx:2180)
Change-Id: Ic76b64d106dcba34087d4effa60b0b84447168d7
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123376
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | sw/source/core/doc/DocumentContentOperationsManager.cxx | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sw/source/core/doc/DocumentContentOperationsManager.cxx b/sw/source/core/doc/DocumentContentOperationsManager.cxx index f42131cc8d14..9a093450f992 100644 --- a/sw/source/core/doc/DocumentContentOperationsManager.cxx +++ b/sw/source/core/doc/DocumentContentOperationsManager.cxx @@ -1920,13 +1920,16 @@ namespace //local functions originally from docfmt.cxx if (pCharSet && pCharSet->Count()) { - SwpHints *pSwpHints = bCreateSwpHints ? &pTNd->GetOrCreateSwpHints() - : pTNd->GetpSwpHints(); - if( pSwpHints ) + if (SwpHints *pSwpHints = bCreateSwpHints ? &pTNd->GetOrCreateSwpHints() + : pTNd->GetpSwpHints()) + { pSwpHints->Register( &aRegH ); + } pTNd->SetAttr(*pCharSet, 0, pTNd->GetText().getLength(), nFlags); - if( pSwpHints ) + + // re-fetch as it may be deleted by SetAttr + if (SwpHints *pSwpHints = pTNd->GetpSwpHints()) pSwpHints->DeRegister(); } } |