cppuhelper: fix use-after-free race in OWeakConnectionPoint

OWeakObject::m_pWeakConnectionPoint is returned from
OWeakObject::queryAdapter(), and stored in
OWeakRefListener::m_xWeakConnectionPoint.

This is cleared in OWeakRefListener::dispose(), called from
OWeakConnectionPoint::dispose(), called from
OWeakObject::disposeWeakConnectionPoint(), but it can happen that
another thread is in WeakReferenceHelper::get() and has copied
m_xWeakConnectionPoint onto the stack before the OWeakObject is
released and deleted, then calls OWeakConnectionPoint::queryAdapted()
after it is released, accessing the dead m_pObject.

(cherry picked from commit 131e604073f89e6c1dd54be88b94b7befd881f2e)

Change-Id: I7782e6fb7e07f5a48cf7064115217376714ba8e8
Reviewed-on: https://gerrit.libreoffice.org/26441
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 72cd79fa1ff3e385eec5a2aed380aa9a776d1a07)

1 files changed, 6 insertions, 0 deletions

diff --git a/cppuhelper/source/weak.cxx b/cppuhelper/source/weak.cxx
index 72b88969715d..82e279e82c2a 100644
--- a/cppuhelper/source/weak.cxx
+++ b/cppuhelper/source/weak.cxx
@@ -105,6 +105,12 @@ void SAL_CALL OWeakConnectionPoint::release() throw()
 
 void SAL_CALL OWeakConnectionPoint::dispose() throw(css::uno::RuntimeException)
 {
+    {
+        MutexGuard aGuard(getWeakMutex());
+        // OWeakObject is not the only owner of this, so clear m_pObject
+        // so that queryAdapted() won't use it now that it's dead
+        m_pObject = nullptr;
+    }
     Any ex;
     OInterfaceIteratorHelper aIt( m_aReferences );
     while( aIt.hasMoreElements() )