summaryrefslogtreecommitdiff
path: root/sw/source/core
diff options
context:
space:
mode:
authorMiklos Vajna <vmiklos@collabora.com>2020-03-31 15:10:52 +0200
committerMichael Stahl <Michael.Stahl@cib.de>2020-07-29 11:12:25 +0200
commitc73065af2701e6c5bda8e5afc7f40fb5ea760935 (patch)
tree2d243689e2191ae62643d82af8db5daaa0e0313a /sw/source/core
parent01b28395fa06173a7d27221bc9ee469c15f3d675 (diff)
sw: fix use-after-free when moving multiple tables to a previous pagefeature/cib_contract4236b
Regression from commit e4da634b983052f300cd0e9b2bbaa60eb02c1b28 (sw: fix moving more than 20 table frames to a previous page, 2020-03-30), asan found a heap-use-after-free during CppunitTest_sw_ooxmlexport5 CPPUNIT_TEST_NAME=testOldComplexMergeTableInTable, the follow frame is deleted like this: #1 in SwTabFrame::~SwTabFrame() at sw/source/core/layout/tabfrm.cxx:145:1 (instdir/program/libswlo.so +0xec98ba5) #2 in SwFrame::DestroyFrame(SwFrame*) at sw/source/core/layout/ssfrm.cxx:389:9 (instdir/program/libswlo.so +0xec8495f) #3 in SwTabFrame::Join() at sw/source/core/layout/tabfrm.cxx:1390:9 (instdir/program/libswlo.so +0xecb6088) #4 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:1865:9 (instdir/program/libswlo.so +0xecbc1f6) #5 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:370:5 (instdir/program/libswlo.so +0xe519919) #6 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1789:37 (instdir/program/libswlo.so +0xed8424e) #7 in SwLayAction::FormatLayoutTab(SwTabFrame*, bool) at sw/source/core/layout/layact.cxx:1485:15 (instdir/program/libswlo.so +0xe897ea9) Fix the problem by not moving multiple tables to a previous page in one iteration when the table is a follow one. Change-Id: I443240b6153b74d6def97140c516d7cf7a2d35e4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91425 Reviewed-by: Miklos Vajna <vmiklos@collabora.com> Tested-by: Jenkins (cherry picked from commit 10036bd52e094b5c9b02ff5142829f0825a20571) (cherry picked from commit 1aeee2f1dc009f5b2731cc505d323ef9279d416c)
Diffstat (limited to 'sw/source/core')
-rw-r--r--sw/source/core/layout/layact.cxx11
1 files changed, 11 insertions, 0 deletions
diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx
index 27820ca028eb..5c938317c4da 100644
--- a/sw/source/core/layout/layact.cxx
+++ b/sw/source/core/layout/layact.cxx
@@ -1370,6 +1370,17 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa
// page, in which case it looses its next.
pNext = pLow->GetNext();
+ if (pNext && pNext->IsTabFrame())
+ {
+ auto pTab = static_cast<SwTabFrame*>(pNext);
+ if (pTab->IsFollow())
+ {
+ // The next frame is a follow of the previous frame, SwTabFrame::Join() will
+ // delete this one as part of formatting, so forget about it.
+ pNext = nullptr;
+ }
+ }
+
bTabChanged |= FormatLayoutTab( static_cast<SwTabFrame*>(pLow), bAddRect );
--m_nTabLevel;
}