diff options
| author | Michael Stahl <mstahl@redhat.com> | 2017-09-13 10:48:38 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-09-13 17:58:55 +0200 |
| commit | 561cf96d8e91adf141d165b818bb2be6e3e97f90 (patch) | |
| tree | 232463067535b3420b02098aab4c3fad5af7dba5 /include | |
| parent | 3181238d88c01245d9fd1aba5cca388174113c83 (diff) | |
tdf#112311 oox: fix UAF of std::shared_ptr
OOXMLFastContextHandlerShape::sendShape() deletes the parent context's
ShapeTypeContext::mrTypeModel.
It looks like the sendShape() can't be delayed because writerfilter
wants to import the v:textbox content into a text frame.
Keep the shape alive until the end of the containing context.
Not sure if it's going to process the v:fill element properly,
but at lest valgrind is happy.
(probably regression from CWS writerfilter32bugfixes01)
Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0
(cherry picked from commit 88c84e71e2559ec6d0b4f8c5101a149daa4a2b2b)
Reviewed-on: https://gerrit.libreoffice.org/42249
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/oox/vml/vmlshapecontainer.hxx | 8 | ||||
| -rw-r--r-- | include/oox/vml/vmlshapecontext.hxx | 9 |
2 files changed, 9 insertions, 8 deletions
diff --git a/include/oox/vml/vmlshapecontainer.hxx b/include/oox/vml/vmlshapecontainer.hxx index 76e294fc279d..692beafad555 100644 --- a/include/oox/vml/vmlshapecontainer.hxx +++ b/include/oox/vml/vmlshapecontainer.hxx @@ -61,10 +61,10 @@ public: Drawing& getDrawing() { return mrDrawing; } /** Creates and returns a new shape template object. */ - ShapeType& createShapeType(); + std::shared_ptr<ShapeType> createShapeType(); /** Creates and returns a new shape object of the specified type. */ template< typename ShapeT > - ShapeT& createShape(); + std::shared_ptr<ShapeT> createShape(); /** Final processing after import of the drawing fragment. */ void finalizeFragmentImport(); @@ -123,11 +123,11 @@ private: template< typename ShapeT > -ShapeT& ShapeContainer::createShape() +std::shared_ptr<ShapeT> ShapeContainer::createShape() { std::shared_ptr< ShapeT > xShape( new ShapeT( mrDrawing ) ); maShapes.push_back( xShape ); - return *xShape; + return xShape; } template< typename Functor > diff --git a/include/oox/vml/vmlshapecontext.hxx b/include/oox/vml/vmlshapecontext.hxx index 1c1565b62397..14533b8b35ab 100644 --- a/include/oox/vml/vmlshapecontext.hxx +++ b/include/oox/vml/vmlshapecontext.hxx @@ -99,7 +99,7 @@ class ShapeTypeContext : public ShapeContextBase public: explicit ShapeTypeContext( ::oox::core::ContextHandler2Helper& rParent, - ShapeType& rShapeType, + std::shared_ptr<ShapeType> const& pShapeType, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -113,6 +113,7 @@ private: OptValue< OUString > decodeFragmentPath( const AttributeList& rAttribs, sal_Int32 nToken ) const; private: + std::shared_ptr<ShapeType> m_pShapeType; ShapeTypeModel& mrTypeModel; }; @@ -122,7 +123,7 @@ class ShapeContext : public ShapeTypeContext public: explicit ShapeContext( ::oox::core::ContextHandler2Helper& rParent, - ShapeBase& rShape, + std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -155,7 +156,7 @@ class GroupShapeContext : public ShapeContext public: explicit GroupShapeContext( ::oox::core::ContextHandler2Helper& rParent, - GroupShape& rShape, + std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -172,7 +173,7 @@ public: explicit RectangleShapeContext( ::oox::core::ContextHandler2Helper& rParent, const AttributeList& rAttribs, - RectangleShape& rShape ); + std::shared_ptr<RectangleShape> pShape); virtual ::oox::core::ContextHandlerRef onCreateContext( sal_Int32 nElement, const AttributeList& rAttribs ) override; |