diff options
| author | Michael Stahl <mstahl@redhat.com> | 2016-06-17 21:58:09 +0200 |
|---|---|---|
| committer | Michael Stahl <mstahl@redhat.com> | 2016-06-17 22:13:24 +0200 |
| commit | 131e604073f89e6c1dd54be88b94b7befd881f2e (patch) | |
| tree | d382dd311ba08be6bfe8e9cd49cb0614d9ac9d7a /cppuhelper | |
| parent | bb1e59d596ffa29d40b4538e18a08e5e91d469a9 (diff) | |
cppuhelper: fix use-after-free race in OWeakConnectionPoint
OWeakObject::m_pWeakConnectionPoint is returned from
OWeakObject::queryAdapter(), and stored in
OWeakRefListener::m_xWeakConnectionPoint.
This is cleared in OWeakRefListener::dispose(), called from
OWeakConnectionPoint::dispose(), called from
OWeakObject::disposeWeakConnectionPoint(), but it can happen that
another thread is in WeakReferenceHelper::get() and has copied
m_xWeakConnectionPoint onto the stack before the OWeakObject is
released and deleted, then calls OWeakConnectionPoint::queryAdapted()
after it is released, accessing the dead m_pObject.
Change-Id: I7782e6fb7e07f5a48cf7064115217376714ba8e8
Diffstat (limited to 'cppuhelper')
| -rw-r--r-- | cppuhelper/source/weak.cxx | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/cppuhelper/source/weak.cxx b/cppuhelper/source/weak.cxx index ed1f77208249..85cf3f626482 100644 --- a/cppuhelper/source/weak.cxx +++ b/cppuhelper/source/weak.cxx @@ -111,6 +111,9 @@ void SAL_CALL OWeakConnectionPoint::dispose() throw(css::uno::RuntimeException) std::vector<Reference<XReference>> aCopy; { // only hold the mutex while we access the field MutexGuard aGuard(getWeakMutex()); + // OWeakObject is not the only owner of this, so clear m_pObject + // so that queryAdapted() won't use it now that it's dead + m_pObject = nullptr; // other code is going to call removeReference while we are doing this, so we need a // copy, but since we are disposing and going away, we can just take the original data aCopy.swap(m_aReferences); |