forcepoint#102 refetch pPara if it might have been destroyed

by SwTextFly::Relax READ of size 8 at 0x616006d9ab08 thread T0 #0 0x7f5c56a0fbe5 in Size::Height() const include/tools/gen.hxx:213:52 #1 0x7f5c56a0fb98 in Size::getHeight() const include/tools/gen.hxx:219:55 #2 0x7f5c56a040f0 in SwRect::IsEmpty() const sw/inc/swrect.hxx:306:21 #3 0x7f5c56dbb018 in SwRect::HasArea() const sw/inc/swrect.hxx:302:13 #4 0x7f5c58571d04 in SwTextFrame::Prepare(PrepareHint, void const*, bool) sw/source/core/text/txtfrm.cxx:2986:45 0x616006d9ab08 is located 136 bytes inside of 608-byte region [0x616006d9aa80,0x616006d9ace0) freed by thread T0 here: #0 0x4fe1f7 in operator delete(void*) (instdir/program/soffice.bin+0x4fe1f7) #1 0x7f5c584602c5 in SwParaPortion::~SwParaPortion() sw/source/core/text/porlay.cxx:2557:1 #2 0x7f5c5850b997 in std::default_delete<SwParaPortion>::operator()(SwParaPortion*) const /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../include/c++/11/bits/unique_ptr.h:85:2 #3 0x7f5c5850b826 in std::__uniq_ptr_impl<SwParaPortion, std::default_delete<SwParaPortion> >::reset(SwParaPortion*) /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../include/c++/11/bits/unique_ptr.h:182:4 #4 0x7f5c5850b630 in std::unique_ptr<SwParaPortion, std::default_delete<SwParaPortion> >::reset(SwParaPortion*) /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../include/c++/11/bits/unique_ptr.h:456:7 #5 0x7f5c5850960d in SwTextLine::SetPara(SwParaPortion*, bool) sw/source/core/text/txtcache.hxx:45:17 #6 0x7f5c58509e7d in SwTextFrame::ClearPara() sw/source/core/text/txtcache.cxx:113:24 #7 0x7f5c5855606e in SwTextFrame::Init() sw/source/core/text/txtfrm.cxx:758:9 #8 0x7f5c585735c4 in SwTextFrame::Prepare(PrepareHint, void const*, bool) sw/source/core/text/txtfrm.cxx:3090:17 #9 0x7f5c57ecafb4 in lcl_NotifyContent(SdrObject const*, SwContentFrame*, SwRect const&, PrepareHint) sw/source/core/layout/frmtool.cxx:3367:15 #10 0x7f5c57ec968b in Notify_Background(SdrObject const*, SwPageFrame*, SwRect const&, PrepareHint, bool) sw/source/core/layout/frmtool.cxx:3443:9 #11 0x7f5c57958669 in lcl_NotifyBackgroundOfObj(SwDrawContact const&, SdrObject const&, tools::Rectangle const*) sw/source/core/draw/dcontact.cxx:951:13 #12 0x7f5c579556bc in SwDrawContact::Changed_(SdrObject const&, SdrUserCallType, tools::Rectangle const*) sw/source/core/draw/dcontact.cxx:1233:21 #13 0x7f5c57953b8d in SwDrawContact::Changed(SdrObject const&, SdrUserCallType, tools::Rectangle const&) sw/source/core/draw/dcontact.cxx:1009:5 #14 0x7f5c96008baf in SdrObject::SendUserCall(SdrUserCallType, tools::Rectangle const&) const svx/source/svdraw/svdobj.cxx:2767:22 #15 0x7f5c9601befa in SdrObject::Resize(Point const&, Fraction const&, Fraction const&, bool) svx/source/svdraw/svdobj.cxx:1561:5 #16 0x7f5c57da650c in SwAnchoredDrawObject::GetObjBoundRect() const sw/source/core/layout/anchoreddrawobject.cxx:733:22 #17 0x7f5c57dae236 in SwAnchoredObject::GetObjRectWithSpaces() const sw/source/core/layout/anchoredobject.cxx:569:31 #18 0x7f5c5853c39e in SwTextFly::InitAnchoredObjList() sw/source/core/text/txtfly.cxx:900:48 #19 0x7f5c58537b0c in SwTextFly::GetAnchoredObjList() const sw/source/core/inc/txtfly.hxx:311:44 #20 0x7f5c58532a5d in SwTextFly::ForEach(SwRect const&, SwRect*, bool) const sw/source/core/text/txtfly.cxx:1067:56 #21 0x7f5c58533eec in SwTextFly::IsAnyFrame() const sw/source/core/text/txtfly.cxx:405:12 #22 0x7f5c5832ccbe in SwTextFly::Relax() sw/source/core/inc/txtfly.hxx:337:17 #23 0x7f5c58571af5 in SwTextFrame::Prepare(PrepareHint, void const*, bool) sw/source/core/text/txtfrm.cxx:2976:48 Change-Id: Ibd0d4af69d2a8d74ad538afba7da53c864fa27b6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132480 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2022-04-03 17:07:45 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2022-04-03 20:26:05 +0200
commit: f49d218a671df5f7a956ccb219dc46a5c8d0a53c (patch)
tree: 52b78f79c8f5064151d1e46755150ebe921a1020 /sw/source/core/text/txtfrm.cxx
parent: 24eb8731513e5a8b0b761cbd0dabd71ea7038c2d (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/sw/source/core/text/txtfrm.cxx b/sw/source/core/text/txtfrm.cxx
index fec5bf391d31..dafcd98a8561 100644
--- a/sw/source/core/text/txtfrm.cxx
+++ b/sw/source/core/text/txtfrm.cxx
@@ -2973,7 +2973,13 @@ bool SwTextFrame::Prepare( const PrepareHint ePrep, const void* pVoid,
                         if( aTextFly.IsOn() )
                         {
                             // Does any free-flying frame overlap?
-                            bFormat = aTextFly.Relax() || IsUndersized();
+                            const bool bRelaxed = aTextFly.Relax();
+                            bFormat = bRelaxed || IsUndersized();
+                            if (bRelaxed)
+                            {
+                                // It's possible that pPara was deleted above; retrieve it again
+                                pPara = aAccess.GetPara();
+                            }
                         }
                     }
                 }
author	Caolán McNamara <caolanm@redhat.com>	2022-04-03 17:07:45 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2022-04-03 20:26:05 +0200
commit	f49d218a671df5f7a956ccb219dc46a5c8d0a53c (patch)
tree	52b78f79c8f5064151d1e46755150ebe921a1020 /sw/source/core/text/txtfrm.cxx
parent	24eb8731513e5a8b0b761cbd0dabd71ea7038c2d (diff)