diff options
| author | Michael Stahl <Michael.Stahl@cib.de> | 2018-07-31 15:20:00 +0200 |
|---|---|---|
| committer | Michael Stahl <Michael.Stahl@cib.de> | 2018-09-19 10:18:22 +0200 |
| commit | c0f51bdf3896473962702c01968a133c927aed4a (patch) | |
| tree | 0937e401cc867fbeeabe32a6b39236d74efb7162 | |
| parent | dc4edcc62e3aa55a28cd8230742fb8ab1da593ad (diff) | |
sw_redlinehide_2: fix use-after-free of SwFont
SwTextSizeInfo::m_pFnt may be an alias of either SwAttrIter or
SwAttrHandler's SwFont members; keep these alive if they exist when
re-initialising from SwAttrIter::Seek().
Change-Id: I8fcbcf3aa339dfc6fa33b5439facadc6034c8cf5
| -rw-r--r-- | sw/source/core/text/atrstck.cxx | 13 | ||||
| -rw-r--r-- | sw/source/core/text/redlnitr.cxx | 14 |
2 files changed, 23 insertions, 4 deletions
diff --git a/sw/source/core/text/atrstck.cxx b/sw/source/core/text/atrstck.cxx index 345400cede4f..ecae4e4a8385 100644 --- a/sw/source/core/text/atrstck.cxx +++ b/sw/source/core/text/atrstck.cxx @@ -401,8 +401,17 @@ void SwAttrHandler::Init( const SfxPoolItem** pPoolItem, const SwAttrSet* pAS, } // It is possible, that Init is called more than once, e.g., in a - // SwTextFrame::FormatOnceMore situation. - m_pFnt.reset( new SwFont(rFnt) ); + // SwTextFrame::FormatOnceMore situation or (since sw_redlinehide) + // from SwAttrIter::Seek(); in the latter case SwTextSizeInfo::m_pFnt + // is an alias of m_pFnt so it must not be deleted! + if (m_pFnt) + { + *m_pFnt = rFnt; + } + else + { + m_pFnt.reset(new SwFont(rFnt)); + } } void SwAttrHandler::Reset( ) diff --git a/sw/source/core/text/redlnitr.cxx b/sw/source/core/text/redlnitr.cxx index 7c51eed6aaa6..3e58f85ddf77 100644 --- a/sw/source/core/text/redlnitr.cxx +++ b/sw/source/core/text/redlnitr.cxx @@ -135,8 +135,18 @@ void SwAttrIter::InitFontAndAttrHandler(SwTextNode const& rTextNode, { // Build a font matching the default paragraph style: SwFontAccess aFontAccess( &rTextNode.GetAnyFormatColl(), m_pViewShell ); - delete m_pFont; - m_pFont = new SwFont( aFontAccess.Get()->GetFont() ); + // It is possible that Init is called more than once, e.g., in a + // SwTextFrame::FormatOnceMore situation or (since sw_redlinehide) + // from SwAttrIter::Seek(); in the latter case SwTextSizeInfo::m_pFnt + // is an alias of m_pFont so it must not be deleted! + if (m_pFont) + { + *m_pFont = aFontAccess.Get()->GetFont(); + } + else + { + m_pFont = new SwFont( aFontAccess.Get()->GetFont() ); + } // set font to vertical if frame layout is vertical // if it's a re-init, the vert flag never changes |