diff options
| author | Michael Stahl <mstahl@redhat.com> | 2017-07-04 22:46:15 +0200 |
|---|---|---|
| committer | Eike Rathke <erack@redhat.com> | 2017-07-11 16:28:00 +0200 |
| commit | 665491f769c2012f83fdce032cf0265238740bad (patch) | |
| tree | 0212d1a1f36c67bc7b3e255c6f6a95654abd26ee | |
| parent | c9b3f21706e5cfc2f49c52a6d04d7b342ea543e0 (diff) | |
sw: fix use-after-free in SwAccessibleMap::FireEvents()
As seen when running JunitTest_sw_unoapi_3 against "make debugrun",
the damn thing can call itself recursively via an odd corner case in
GetContext():
0 in SwAccessibleEventList_Impl::~SwAccessibleEventList_Impl() (this=0x9a6a170, __in_chrg=<optimized out>) at sw/source/core/access/accmap.cxx:498
1 in SwAccessibleMap::FireEvents() (this=0x8198bb0) at sw/source/core/access/accmap.cxx:3023
2 in SwAccessibleMap::InvalidateCursorPosition(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&) (this=0x8198bb0, rAcc=uno::Reference to (SwAccessibleParagraph *) 0x9a439d8) at sw/source/core/access/accmap.cxx:1069
3 in SwAccessibleMap::GetContext(SwFrame const*, bool) (this=0x8198bb0, pFrame=0x825ca10, bCreate=true) at sw/source/core/access/accmap.cxx:1925
4 in SwAccessibleMap::GetContextImpl(SwFrame const*, bool) (this=0x8198bb0, pFrame=0x825ca10, bCreate=true) at sw/source/core/access/accmap.cxx:1936
5 in SwAccessibleContext::InvalidateChildPosOrSize(sw::access::SwAccessibleChild const&, SwRect const&) (this=0x405a350, rChildFrameOrObj=..., rOldFrame=SwRect = {...}) at sw/source/core/access/acccontext.cxx:1196
6 in SwAccessibleMap::FireEvent(SwAccessibleEvent_Impl const&) (this=0x8198bb0, rEvent=...) at sw/source/core/access/accmap.cxx:898
7 in SwAccessibleMap::FireEvents() (this=0x8198bb0) at sw/source/core/access/accmap.cxx:3018
8 in SwViewShellImp::FireAccessibleEvents() (this=0x7744dc0) at sw/source/core/view/viewimp.cxx:460
9 in SwLayIdle::SwLayIdle(SwRootFrame*, SwViewShellImp*) (this=0x7ffc63395e30, pRt=0x7745120, pI=0x7744dc0) at sw/source/core/layout/layact.cxx:2267
Presumably all of mpEvents, mpEventMap and mpShapes must live until
the outermost FireEvents() completes.
Change-Id: I4e5a053035bf7fc12d9407913437d721889950ae
(cherry picked from commit ddf8d9a150e3e1725de65577c48d47918b4b11a8)
Reviewed-on: https://gerrit.libreoffice.org/39567
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Reviewed-by: Eike Rathke <erack@redhat.com>
| -rw-r--r-- | sw/source/core/access/accmap.cxx | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sw/source/core/access/accmap.cxx b/sw/source/core/access/accmap.cxx index 0faee74144b7..84147a1826fd 100644 --- a/sw/source/core/access/accmap.cxx +++ b/sw/source/core/access/accmap.cxx @@ -3058,6 +3058,11 @@ void SwAccessibleMap::FireEvents() osl::MutexGuard aGuard( maEventMutex ); if( mpEvents ) { + if (mpEvents->IsFiring()) + { + return; // prevent recursive FireEvents() + } + mpEvents->SetFiring(); mpEvents->MoveMissingXAccToEnd(); for( auto const& aEvent : *mpEvents ) |