sw: layout: remove superfluous pages again in InternalAction()

The bugdoc has a very large header containing hidden text changes height
when toggling Formatting Marks.  When toggling on, it crashes, because
UnHide() iterates the text frames in all headers, but after the first
one empty pages at the end of the document are removed, so UAF.

Remove the pages without content earlier; SwLayAction::InternalAction()
already does it after the "normal" page loop, but the 2nd page loop
following that may also move content off pages, so do it again.

Change-Id: Iaae6a16842b3494f25cba8fc036d15049b71961f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165801
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 759d822dac5edc6104ce61b70c578425d9f2470d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165727
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx
index 06c3027bebc5..1a0a1260a135 100644
--- a/sw/source/core/layout/layact.cxx
+++ b/sw/source/core/layout/layact.cxx
@@ -809,6 +809,12 @@ void SwLayAction::InternalAction(OutputDevice* pRenderContext)
             unlockPositionOfObjects( pPg );
             pPg = static_cast<SwPageFrame*>(pPg->GetNext());
         }
+        if (m_pRoot->IsSuperfluous()) // could be newly set now!
+        {
+            bool bOld = IsAgain();
+            m_pRoot->RemoveSuperfluous();
+            SetAgain(bOld);
+        }
         // reset flag for special interrupt content formatting.
         mbFormatContentOnInterrupt = false;
     }