From eb09b803aa578d11b61ec9052ceccd0d9270ff68 Mon Sep 17 00:00:00 2001
From: Michael Stahl <mstahl@redhat.com>
Date: Tue, 19 Aug 2014 23:37:21 +0200
Subject: fdo#72695: avoid double-free race condition for SwXReferenceMark

Change-Id: I66a988f17adebba72a71af5b770abbebfa4e12b2
---
 sw/source/core/unocore/unorefmk.cxx | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/sw/source/core/unocore/unorefmk.cxx b/sw/source/core/unocore/unorefmk.cxx
index 10f0a067b872..9861801bdd99 100644
--- a/sw/source/core/unocore/unorefmk.cxx
+++ b/sw/source/core/unocore/unorefmk.cxx
@@ -43,19 +43,17 @@ class SwXReferenceMark::Impl
 {
 private:
     ::osl::Mutex m_Mutex; // just for OInterfaceContainerHelper
-    SwXReferenceMark & m_rThis;
 
 public:
+    uno::WeakReference<uno::XInterface> m_wThis;
     ::cppu::OInterfaceContainerHelper m_EventListeners;
     bool                        m_bIsDescriptor;
     SwDoc *                     m_pDoc;
     const SwFmtRefMark *        m_pMarkFmt;
     OUString             m_sMarkName;
 
-    Impl(   SwXReferenceMark & rThis,
-            SwDoc *const pDoc, SwFmtRefMark *const pRefMark)
+    Impl(   SwDoc *const pDoc, SwFmtRefMark *const pRefMark)
         : SwClient(pRefMark)
-        , m_rThis(rThis)
         , m_EventListeners(m_Mutex)
         , m_bIsDescriptor(0 == pRefMark)
         , m_pDoc(pDoc)
@@ -84,7 +82,12 @@ void SwXReferenceMark::Impl::Invalidate()
     }
     m_pDoc = 0;
     m_pMarkFmt = 0;
-    lang::EventObject const ev(static_cast< ::cppu::OWeakObject&>(m_rThis));
+    uno::Reference<uno::XInterface> const xThis(m_wThis);
+    if (!xThis.is())
+    {   // fdo#72695: if UNO object is already dead, don't revive it with event
+        return;
+    }
+    lang::EventObject const ev(xThis);
     m_EventListeners.disposeAndClear(ev);
 }
 
@@ -100,7 +103,7 @@ void SwXReferenceMark::Impl::Modify( const SfxPoolItem* pOld, const SfxPoolItem
 
 SwXReferenceMark::SwXReferenceMark(
         SwDoc *const pDoc, SwFmtRefMark *const pRefMark)
-    : m_pImpl( new SwXReferenceMark::Impl(*this, pDoc, pRefMark) )
+    : m_pImpl( new SwXReferenceMark::Impl(pDoc, pRefMark) )
 {
 }
 
@@ -126,6 +129,8 @@ SwXReferenceMark::CreateXReferenceMark(
         {
             pMarkFmt->SetXRefMark(xMark);
         }
+        // need a permanent Reference to initialize m_wThis
+        pMark->m_pImpl->m_wThis = xMark;
     }
     return xMark;
 }
-- 
cgit v1.2.3