diff options
author | Michael Stahl <mstahl@redhat.com> | 2017-09-13 10:48:38 +0200 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2017-09-18 17:50:29 +0200 |
commit | e56850ce7c66aed7e3b6b4b5b140e70e7becbb1c (patch) | |
tree | 114e03f834a36bef544bceafe821523f97c8d993 /oox | |
parent | d40fbcce428534f7777a57c05478f27cebab0c3f (diff) |
tdf#112311 oox: fix UAF of std::shared_ptr
OOXMLFastContextHandlerShape::sendShape() deletes the parent context's
ShapeTypeContext::mrTypeModel.
It looks like the sendShape() can't be delayed because writerfilter
wants to import the v:textbox content into a text frame.
Keep the shape alive until the end of the containing context.
Not sure if it's going to process the v:fill element properly,
but at lest valgrind is happy.
(probably regression from CWS writerfilter32bugfixes01)
Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0
(cherry picked from commit 88c84e71e2559ec6d0b4f8c5101a149daa4a2b2b)
Reviewed-on: https://gerrit.libreoffice.org/42245
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 7c7c19d80e6a6327be563a18febc3854d9a38daf)
Diffstat (limited to 'oox')
-rw-r--r-- | oox/source/vml/vmlshapecontainer.cxx | 4 | ||||
-rw-r--r-- | oox/source/vml/vmlshapecontext.cxx | 30 |
2 files changed, 20 insertions, 14 deletions
diff --git a/oox/source/vml/vmlshapecontainer.cxx b/oox/source/vml/vmlshapecontainer.cxx index 055365202d5d..31359f862fba 100644 --- a/oox/source/vml/vmlshapecontainer.cxx +++ b/oox/source/vml/vmlshapecontainer.cxx @@ -59,11 +59,11 @@ ShapeContainer::~ShapeContainer() { } -ShapeType& ShapeContainer::createShapeType() +std::shared_ptr<ShapeType> ShapeContainer::createShapeType() { std::shared_ptr< ShapeType > xShape( new ShapeType( mrDrawing ) ); maTypes.push_back( xShape ); - return *xShape; + return xShape; } void ShapeContainer::finalizeFragmentImport() diff --git a/oox/source/vml/vmlshapecontext.cxx b/oox/source/vml/vmlshapecontext.cxx index 800ec9ad0582..8f4170b40f49 100644 --- a/oox/source/vml/vmlshapecontext.cxx +++ b/oox/source/vml/vmlshapecontext.cxx @@ -269,9 +269,12 @@ ContextHandlerRef ShapeContextBase::createShapeContext( ContextHandler2Helper& r return nullptr; } -ShapeTypeContext::ShapeTypeContext( ContextHandler2Helper& rParent, ShapeType& rShapeType, const AttributeList& rAttribs ) : - ShapeContextBase( rParent ), - mrTypeModel( rShapeType.getTypeModel() ) +ShapeTypeContext::ShapeTypeContext(ContextHandler2Helper& rParent, + std::shared_ptr<ShapeType> const& pShapeType, + const AttributeList& rAttribs) + : ShapeContextBase(rParent) + , m_pShapeType(pShapeType) // tdf#112311 keep it alive + , mrTypeModel( pShapeType->getTypeModel() ) { // shape identifier and shape name bool bHasOspid = rAttribs.hasAttribute( O_TOKEN( spid ) ); @@ -442,10 +445,11 @@ void ShapeTypeContext::setStyle( const OUString& rStyle ) } } -ShapeContext::ShapeContext( ContextHandler2Helper& rParent, ShapeBase& rShape, const AttributeList& rAttribs ) : - ShapeTypeContext( rParent, rShape, rAttribs ), - mrShape( rShape ), - mrShapeModel( rShape.getShapeModel() ) +ShapeContext::ShapeContext(ContextHandler2Helper& rParent, + std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs) + : ShapeTypeContext( rParent, pShape, rAttribs ) + , mrShape( *pShape ) + , mrShapeModel( pShape->getShapeModel() ) { // collect shape specific attributes mrShapeModel.maType = rAttribs.getXString( XML_type, OUString() ); @@ -532,9 +536,10 @@ void ShapeContext::setVmlPath( const OUString& rPath ) mrShapeModel.maVmlPath = rPath; } -GroupShapeContext::GroupShapeContext( ContextHandler2Helper& rParent, GroupShape& rShape, const AttributeList& rAttribs ) : - ShapeContext( rParent, rShape, rAttribs ), - mrShapes( rShape.getChildren() ) +GroupShapeContext::GroupShapeContext(ContextHandler2Helper& rParent, + std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs) + : ShapeContext( rParent, pShape, rAttribs ) + , mrShapes( pShape->getChildren() ) { } @@ -546,8 +551,9 @@ ContextHandlerRef GroupShapeContext::onCreateContext( sal_Int32 nElement, const return xContext.get() ? xContext : ShapeContext::onCreateContext( nElement, rAttribs ); } -RectangleShapeContext::RectangleShapeContext( ContextHandler2Helper& rParent, const AttributeList& rAttribs, RectangleShape& rShape ) : - ShapeContext( rParent, rShape, rAttribs ) +RectangleShapeContext::RectangleShapeContext(ContextHandler2Helper& rParent, + const AttributeList& rAttribs, std::shared_ptr<RectangleShape> pShape) + : ShapeContext( rParent, pShape, rAttribs ) { } |