summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Stahl <Michael.Stahl@cib.de>2019-07-18 14:07:06 +0200
committerAndras Timar <andras.timar@collabora.com>2021-05-10 16:33:51 +0200
commit6b7b27e043fdcc87ab7caf34fcc1919cc2b15541 (patch)
tree83d62a834b4eeced35452805ff9c2d806b56d995
parent0736958efa4e937d37b5261af981b2dbc765d6b4 (diff)
sw: fix use after free on tdf117215-1.odt
Move the fix from 6d0ea082889c89eb8b408779f2de08da7441ff54 to SwFlyFrame::DestroyImpl() so we unregister every SwFlyFrame. ==1550==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000383f56 at pc 0x7efcd70d5ab9 bp 0x7ffeb7ac7c40 sp 0x7ffeb7ac7c38 WRITE of size 1 at 0x615000383f56 thread T0 0 SwAnchoredObject::SetTmpConsiderWrapInfluence(bool) sw/source/core/layout/anchoredobject.cxx:743:32 1 SwObjsMarkedAsTmpConsiderWrapInfluence::Clear() sw/source/core/layout/objstmpconsiderwrapinfl.cxx:53:23 2 SwLayouter::ClearObjsTmpConsiderWrapInfluence(SwDoc const&) sw/source/core/layout/layouter.cxx:387:84 3 sw::DocumentLayoutManager::ClearSwLayouterEntries() sw/source/core/doc/DocumentLayoutManager.cxx:497:5 4 sw::DocumentStateManager::SetModified() sw/source/core/doc/DocumentStateManager.cxx:45:39 5 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3942:36 0x615000383f56 is located 342 bytes inside of 504-byte region [0x615000383e00,0x615000383ff8) freed by thread T0 here: 1 SwFlyAtContentFrame::~SwFlyAtContentFrame() sw/source/core/inc/flyfrms.hxx:159:7 2 SwFrame::DestroyFrame(SwFrame*) sw/source/core/layout/ssfrm.cxx:389:9 3 SwFrameFormat::DelFrames() sw/source/core/layout/atrfrm.cxx:2624:17 4 SwUndoFlyBase::DelFly(SwDoc*) sw/source/core/undo/undobj1.cxx:161:19 5 SwUndoDelLayFormat::SwUndoDelLayFormat(SwFrameFormat*) sw/source/core/undo/undobj1.cxx:403:5 6 SwHistoryTextFlyCnt::SwHistoryTextFlyCnt(SwFrameFormat*) sw/source/core/undo/rolbck.cxx:538:20 7 SwHistory::Add(SwFlyFrameFormat&, unsigned short&) sw/source/core/undo/rolbck.cxx:1083:50 8 SwUndoSaveContent::DelContentIndex(SwPosition const&, SwPosition const&, DelContentType) sw/source/core/undo/undobj.cxx:1020:39 9 SwUndoDelete::SwUndoDelete(SwPaM&, bool, bool) sw/source/core/undo/undel.cxx:229:9 11 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3939:55 Change-Id: Ia0c28c9d5792615cbb566e502374efd0f4056daf Reviewed-on: https://gerrit.libreoffice.org/75857 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> (cherry picked from commit dea72ef111ee8a0b1b178f8cd48757514d5ca831) Reviewed-on: https://gerrit.libreoffice.org/75941 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com> (cherry picked from commit 4b9324b93dcbd72c8c8949309d45790dd8f7d5fd)
-rw-r--r--sw/source/core/layout/fly.cxx2
-rw-r--r--sw/source/core/layout/ssfrm.cxx2
2 files changed, 3 insertions, 1 deletions
diff --git a/sw/source/core/layout/fly.cxx b/sw/source/core/layout/fly.cxx
index 54442191f4e6..5c5f2fede44e 100644
--- a/sw/source/core/layout/fly.cxx
+++ b/sw/source/core/layout/fly.cxx
@@ -254,6 +254,8 @@ void SwFlyFrame::DestroyImpl()
if( GetFormat() && !GetFormat()->GetDoc()->IsInDtor() )
{
+ ClearTmpConsiderWrapInfluence(); // remove this from SwLayouter
+
// OD 2004-01-19 #110582#
Unchain();
diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx
index c972864a884d..b5cbe7d260d9 100644
--- a/sw/source/core/layout/ssfrm.cxx
+++ b/sw/source/core/layout/ssfrm.cxx
@@ -472,7 +472,6 @@ void SwLayoutFrame::DestroyImpl()
const size_t nCnt = pFrame->GetDrawObjs()->size();
// #i28701#
SwAnchoredObject* pAnchoredObj = (*pFrame->GetDrawObjs())[0];
- pAnchoredObj->ClearTmpConsiderWrapInfluence();
if (SwFlyFrame* pFlyFrame = dynamic_cast<SwFlyFrame*>(pAnchoredObj))
{
SwFrame::DestroyFrame(pFlyFrame);
@@ -480,6 +479,7 @@ void SwLayoutFrame::DestroyImpl()
}
else
{
+ pAnchoredObj->ClearTmpConsiderWrapInfluence();
SdrObject* pSdrObj = pAnchoredObj->DrawObj();
SwDrawContact* pContact =
static_cast<SwDrawContact*>(pSdrObj->GetUserCall());