tdf#143514: Avoid double-free in dbgutil code

SdrObject::Free may start a chain of deletions, removing more
than one object from maAllIncarnatedObjects. Trying to free
them for the second time after that would lead to crash.

Change-Id: I8648b05d167acecb2799ecf165c387721528a11a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119433
Tested-by: Mike Kaganski <mike.kaganski@collabora.com>
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>

1 files changed, 5 insertions, 5 deletions

diff --git a/svx/source/svdraw/svdmodel.cxx b/svx/source/svdraw/svdmodel.cxx
index f46a34eaf6ec..7dcc8110faa4 100644
--- a/svx/source/svdraw/svdmodel.cxx
+++ b/svx/source/svdraw/svdmodel.cxx
@@ -197,13 +197,13 @@ SdrModel::~SdrModel()
     if(!maAllIncarnatedObjects.empty())
     {
         SAL_WARN("svx","SdrModel::~SdrModel: Not all incarnations of SdrObjects deleted, possible memory leak (!)");
-        // copy to std::vector - calling SdrObject::Free will change maAllIncarnatedObjects
-        const std::vector< const SdrObject* > maRemainingObjects(maAllIncarnatedObjects.begin(), maAllIncarnatedObjects.end());
-        for(auto pSdrObject : maRemainingObjects)
+        // calling SdrObject::Free will change maAllIncarnatedObjects, and potentially remove more
+        // than one - do not copy to another container, to not try to free already removed object.
+        do
         {
-            SdrObject* pCandidate(const_cast<SdrObject*>(pSdrObject));
+            SdrObject* pCandidate(const_cast<SdrObject*>(*maAllIncarnatedObjects.begin()));
             SdrObject::Free(pCandidate);
-        }
+        } while (!maAllIncarnatedObjects.empty());
     }
 #endif