Fix SfxPoolItem use-after-free

...as observed with -fsanitize=address in Draw, after drawing some rectangle (so that there is at least one marked object) doing "Format - Area... - Area - Bitmap": > ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004aca50 at pc 0x7f14d0ef5fe1 bp 0x7ffd966c6cb0 sp 0x7ffd966c6ca8 > READ of size 4 at 0x6030004aca50 thread T0 > #0 in CntUInt32Item::GetValue() const at include/svl/cintitem.hxx:163:42 > #1 in SvxBitmapTabPage::Reset(SfxItemSet const*) at cui/source/tabpages/tpbitmap.cxx:278:124 > #2 in SvxAreaTabPage::CreatePage(int, SfxTabPage*) at cui/source/tabpages/tparea.cxx:448:21 > #3 in SvxAreaTabPage::SelectFillType(weld::ToggleButton&, SfxItemSet const*) at cui/source/tabpages/tparea.cxx:381:9 > #4 in SvxAreaTabPage::SelectFillTypeHdl_Impl(weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:364:5 > #5 in SvxAreaTabPage::LinkStubSelectFillTypeHdl_Impl(void*, weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:358:1 > #6 in Link<weld::ToggleButton&, void>::Call(weld::ToggleButton&) const at include/tools/link.hxx:111:45 > #7 in weld::ToggleButton::signal_toggled() at include/vcl/weld.hxx:1130:42 [...] > 0x6030004aca50 is located 16 bytes inside of 24-byte region [0x6030004aca40,0x6030004aca58) > freed by thread T0 here: > #0 in operator delete(void*, unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3 > #1 in SfxUInt32Item::~SfxUInt32Item() at include/svl/intitem.hxx:113:21 > #2 in SfxItemPool::Remove(SfxPoolItem const&) at svl/source/items/itempool.cxx:710:13 > #3 in SfxItemSet::~SfxItemSet() at svl/source/items/itemset.cxx:252:42 > #4 in SvxBitmapTabPage::Reset(SfxItemSet const*) at cui/source/tabpages/tpbitmap.cxx:276:9 > #5 in SvxAreaTabPage::CreatePage(int, SfxTabPage*) at cui/source/tabpages/tparea.cxx:448:21 > #6 in SvxAreaTabPage::SelectFillType(weld::ToggleButton&, SfxItemSet const*) at cui/source/tabpages/tparea.cxx:381:9 > #7 in SvxAreaTabPage::SelectFillTypeHdl_Impl(weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:364:5 > #8 in SvxAreaTabPage::LinkStubSelectFillTypeHdl_Impl(void*, weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:358:1 > #9 in Link<weld::ToggleButton&, void>::Call(weld::ToggleButton&) const at include/tools/link.hxx:111:45 This appears to be broken ever since d543d66a4ee34d3b0088f45951b56c150f7206ec "tdf#104615: there's no mpView when opening odc directly". Change-Id: Id0b3991f3e953ca5b10f466daab890383b0428ca Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86368 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
author: Stephan Bergmann <sbergman@redhat.com> 2020-01-07 18:06:09 +0100
committer: Stephan Bergmann <sbergman@redhat.com> 2020-01-07 20:28:35 +0100
commit: 4d59436258702251a881a007ccc52ffd5a3eeb38 (patch)
tree: 985e99a9b6288f19451a2a4e0a98fb15345a31ad /cui/source/tabpages/tpbitmap.cxx
parent: 386248c9c2de669c211ba5a06afc8466f14c542b (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/cui/source/tabpages/tpbitmap.cxx b/cui/source/tabpages/tpbitmap.cxx
index 945d92315c94..b18cfffbe607 100644
--- a/cui/source/tabpages/tpbitmap.cxx
+++ b/cui/source/tabpages/tpbitmap.cxx
@@ -260,8 +260,8 @@ bool SvxBitmapTabPage::FillItemSet( SfxItemSet* rAttrs )
 
 void SvxBitmapTabPage::Reset( const SfxItemSet* rAttrs )
 {
-    const SfxPoolItem* pItemTransfWidth = nullptr;
-    const SfxPoolItem* pItemTransfHeight = nullptr;
+    double transfWidth = 0.0;
+    double transfHeight = 0.0;
     double fUIScale  = 1.0;
     if (mpView)
     {
@@ -271,12 +271,12 @@ void SvxBitmapTabPage::Reset( const SfxItemSet* rAttrs )
         if (mpView->AreObjectsMarked())
         {
             SfxItemSet rGeoAttr(mpView->GetGeoAttrFromMarked());
-            pItemTransfWidth = GetItem( rGeoAttr, SID_ATTR_TRANSFORM_WIDTH );
-            pItemTransfHeight= GetItem( rGeoAttr, SID_ATTR_TRANSFORM_HEIGHT );
+            transfWidth = static_cast<double>(GetItem( rGeoAttr, SID_ATTR_TRANSFORM_WIDTH )->GetValue());
+            transfHeight= static_cast<double>(GetItem( rGeoAttr, SID_ATTR_TRANSFORM_HEIGHT )->GetValue());
         }
     }
-    m_fObjectWidth = std::max( pItemTransfWidth ? static_cast<double>(static_cast<const SfxUInt32Item*>(pItemTransfWidth)->GetValue()) : 0.0, 1.0 );
-    m_fObjectHeight = std::max( pItemTransfHeight ? static_cast<double>(static_cast<const SfxUInt32Item*>(pItemTransfHeight)->GetValue()) : 0.0, 1.0 );
+    m_fObjectWidth = std::max( transfWidth, 1.0 );
+    m_fObjectHeight = std::max( transfHeight, 1.0 );
     double fTmpWidth((OutputDevice::LogicToLogic(static_cast<sal_Int32>(m_fObjectWidth), mePoolUnit, MapUnit::Map100thMM )) / fUIScale);
     m_fObjectWidth = fTmpWidth;
author	Stephan Bergmann <sbergman@redhat.com>	2020-01-07 18:06:09 +0100
committer	Stephan Bergmann <sbergman@redhat.com>	2020-01-07 20:28:35 +0100
commit	4d59436258702251a881a007ccc52ffd5a3eeb38 (patch)
tree	985e99a9b6288f19451a2a4e0a98fb15345a31ad /cui/source/tabpages/tpbitmap.cxx
parent	386248c9c2de669c211ba5a06afc8466f14c542b (diff)