Avoid using invalidated rRect

...as happens during `convert-to pdf doc/ooo107799-1.doc` (i.e., oracle apex.doc
attached at <https://bz.apache.org/ooo/show_bug.cgi?id=107799#c1>):

> ==29889==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200034f548 at pc 0x0000002ebcaa bp 0x7fff9666f320 sp 0x7fff9666ead0
> READ of size 16 at 0x61200034f548 thread T0
>  #0 in __asan_memcpy at /home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3
>  #1 in SwRect::SwRect(SwRect const&) at sw/inc/swrect.hxx:313:5
>  #2 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:2971:12
>  #3 in SwViewShell::PrintOrPDFExport(OutputDevice*, SwPrintData const&, int, bool) at sw/source/core/view/vprint.cxx:542:30
>  #4 in SwXTextDocument::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sw/source/uibase/uno/unotxdoc.cxx:3026:32
>  #5 in PDFExport::ExportSelection(vcl::PDFWriter&, com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, com::sun::star::uno::Any const&, StringRangeEnumerator const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) at filter/source/pdf/pdfexport.cxx:227:34
>  #6 in PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdfexport.cxx:939:28
>
> 0x61200034f548 is located 8 bytes inside of 272-byte region [0x61200034f540,0x61200034f650)
> freed by thread T0 here:
>  #0 in operator delete(void*, unsigned long) at /home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cc:172:3
>  #1 in SwPageFrame::~SwPageFrame() at sw/source/core/layout/pagechg.cxx:301:1
>  #2 in SwFrame::DestroyFrame(SwFrame*) at sw/source/core/layout/ssfrm.cxx:389:9
>  #3 in SwRootFrame::RemovePage(SwPageFrame**, SwRemoveResult) at sw/source/core/layout/pagechg.cxx:1426:5
>  #4 in SwRootFrame::RemoveSuperfluous() at sw/source/core/layout/pagechg.cxx:1501:13
>  #5 in SwLayAction::InternalAction(OutputDevice*) at sw/source/core/layout/layact.cxx:494:30
>  #6 in SwLayAction::Action(OutputDevice*) at sw/source/core/layout/layact.cxx:349:5
>  #7 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:2965:17
>  #8 in SwViewShell::PrintOrPDFExport(OutputDevice*, SwPrintData const&, int, bool) at sw/source/core/view/vprint.cxx:542:30
>  #9 in SwXTextDocument::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sw/source/uibase/uno/unotxdoc.cxx:3026:32

Change-Id: I2931920d19d535f569c61fb9d7f1ce21bf7a0d88
Reviewed-on: https://gerrit.libreoffice.org/76270
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
Tested-by: Jenkins

1 files changed, 4 insertions, 1 deletions

diff --git a/sw/source/core/layout/paintfrm.cxx b/sw/source/core/layout/paintfrm.cxx
index 61898a818771..36f1cd69ff5d 100644
--- a/sw/source/core/layout/paintfrm.cxx
+++ b/sw/source/core/layout/paintfrm.cxx
@@ -2933,6 +2933,10 @@ void SwRootFrame::PaintSwFrame(vcl::RenderContext& rRenderContext, SwRect const&
     ::SwCalcPixStatics( pSh->GetOut() );
     aGlobalRetoucheColor = pSh->Imp()->GetRetoucheColor();
 
+    // Copy rRect; for one, rRect could become dangling during the below action, and for another it
+    // needs to be copied to aRect anyway as that is modified further down below:
+    SwRect aRect( rRect );
+
     //Trigger an action to clear things up if needed.
     //Using this trick we can ensure that all values are valid in all paints -
     //no problems, no special case(s).
@@ -2968,7 +2972,6 @@ void SwRootFrame::PaintSwFrame(vcl::RenderContext& rRenderContext, SwRect const&
             pSh->Imp()->DelRegion();
     }
 
-    SwRect aRect( rRect );
     aRect.Intersection( pSh->VisArea() );
 
     const bool bExtraData = ::IsExtraData( GetFormat()->GetDoc() );