summaryrefslogtreecommitdiff
path: root/sc/source
diff options
context:
space:
mode:
authorMichael Stahl <mstahl@redhat.com>2015-01-09 22:48:06 +0100
committerCaolán McNamara <caolanm@redhat.com>2015-01-14 10:12:27 +0000
commitbc00a5e9b2bba09fd3c7659be4de707b01a56a74 (patch)
tree5250bc2aafb5d574ca0fa31c39dd7411d9db448f /sc/source
parentbfc20246a88b19461d4bc95df47095186200ca77 (diff)
sc: fix use-after-free race in ScCellRangesBase
Probably 03cca068ed901d1862c440a6f414d17609785974 was not sufficient, because the ~ScCellRangesBase may access a deleted ScDocument after the early return. READ of size 8 at 0x61b000191cb0 thread T7 (cppu_threadpool) #0 0x2b3c8fd7c8b3 in ScDocument::RemoveUnoObject(SfxListener&) sc/source/core/data/documen3.cxx:863:9 #1 0x2b3c94517824 in ScCellRangesBase::~ScCellRangesBase() sc/source/ui/unoobj/cellsuno.cxx:1467:9 #2 0x2b3c9459cf98 in ScCellRangeObj::~ScCellRangeObj() sc/source/ui/unoobj/cellsuno.cxx:4786:1 #3 0x2b3c945eca28 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1 #4 0x2b3c945ecef1 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6087:1 #5 0x2b3c945ed093 in non-virtual thunk to ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1 #6 0x2b3c56cb35ec in cppu::OWeakObject::release() cppuhelper/source/weak.cxx:205:9 #7 0x2b3c94523d63 in ScCellRangesBase::release() sc/source/ui/unoobj/cellsuno.cxx:1772:5 #8 0x2b3c945a77ec in ScCellRangeObj::release() sc/source/ui/unoobj/cellsuno.cxx:4835:5 #9 0x2b3c945f842c in ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6128:5 #10 0x2b3c945fb953 in non-virtual thunk to ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6129:1 #11 0x2b3c7f305faa in bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*) bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:42:5 freed by thread T14 (cppu_threadpool) here: #0 0x43436b in operator delete(void*) (/data/lo/build_clang/instdir/program/soffice.bin+0x43436b) #1 0x2b3c9382462e in ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2722:1 #2 0x2b3c93824d46 in virtual thunk to ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2755:1 #3 0x2b3c58e2058a in SvRefBase::ReleaseRef() include/tools/ref.hxx:194:29 #4 0x2b3c58e12726 in tools::SvRef<SfxObjectShell>::~SvRef() include/tools/ref.hxx:52:24 #5 0x2b3c5a8a8f99 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:247:5 #6 0x2b3c5a8a9141 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:246:5 #7 0x2b3c5a7b1905 in SfxBaseModel::dispose() sfx2/source/doc/sfxbasemodel.cxx:795:5 #8 0x2b3c5a7c8146 in SfxBaseModel::close(unsigned char) sfx2/source/doc/sfxbasemodel.cxx:1418:5 Change-Id: Ia041dc6596d1b0b6b979a20fa93e1490c657e15b (cherry picked from commit c6dc3b9f9adb292ae42ba246082bc9dcb1445c6c) Reviewed-on: https://gerrit.libreoffice.org/13871 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sc/source')
-rw-r--r--sc/source/ui/unoobj/cellsuno.cxx6
1 files changed, 6 insertions, 0 deletions
diff --git a/sc/source/ui/unoobj/cellsuno.cxx b/sc/source/ui/unoobj/cellsuno.cxx
index a2b58a87904a..39b264ff7413 100644
--- a/sc/source/ui/unoobj/cellsuno.cxx
+++ b/sc/source/ui/unoobj/cellsuno.cxx
@@ -1550,6 +1550,12 @@ void ScCellRangesBase::Notify( SfxBroadcaster&, const SfxHint& rHint )
uno::Reference<uno::XInterface> const xThis(m_wThis);
if (!xThis.is())
{ // fdo#72695: if UNO object is already dead, don't revive it with event
+ if (dynamic_cast<const SfxSimpleHint*>(&rHint) &&
+ SFX_HINT_DYING == static_cast<const SfxSimpleHint&>(rHint).GetId())
+ { // if the document dies, must reset to avoid crash in dtor!
+ ForgetCurrentAttrs();
+ pDocShell = nullptr;
+ }
return;
}
if ( dynamic_cast<const ScUpdateRefHint*>(&rHint) )