diff options
| author | Michael Stahl <mstahl@redhat.com> | 2016-11-24 14:18:05 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2017-02-08 11:56:05 +0100 |
| commit | 60fe056719afb0861c19df2db0aec262d57bedc0 (patch) | |
| tree | 2c269c5209ba6a029a4b6dd60e393ac77e5f535c /sw/source | |
| parent | 21666964420465551b8db827bebca3c1322c89bf (diff) | |
tdf#103788 sw: fix use-after-free in navigator dialog
The problem is that if SwContentTree::HasContentChanged() returns true,
it may have deleted the SwTypeNumber instances that are referenced in
SvTreeListEntry::pUserData, but it has not reset pUserData so those
pointers are now used to acceess deleted objects.
Also it looks like the HasContentChanged() detects additional conditions
that would not cause a modified event from the document but should still
cause a repaint, such as when the user moves the cursor between
headings.
Revert the optimization, it was a stupid idea.
(regression from 329742e6c9da7cd7848d92a6846e3d1249d8d9b4)
(cherry picked from commit cbdf4e007650cfda4f7808402e8e24ae66d45792)
Reviewed-on: https://gerrit.libreoffice.org/31194
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
(cherry picked from commit dbfa3841018672d8af8e9bf1bdb4caf6cdf0ce7d)
Change-Id: Idb5207e896b0638324fc41b7c214536be4ba864b
Reviewed-on: https://gerrit.libreoffice.org/31200
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
(cherry picked from commit 09b714195bc61773c6021a78247478e86ee90d41)
Diffstat (limited to 'sw/source')
| -rw-r--r-- | sw/source/uibase/inc/conttree.hxx | 1 | ||||
| -rw-r--r-- | sw/source/uibase/utlui/content.cxx | 17 |
2 files changed, 2 insertions, 16 deletions
diff --git a/sw/source/uibase/inc/conttree.hxx b/sw/source/uibase/inc/conttree.hxx index ca22dc77a4e4..468a9a254b05 100644 --- a/sw/source/uibase/inc/conttree.hxx +++ b/sw/source/uibase/inc/conttree.hxx @@ -94,7 +94,6 @@ class SwContentTree bool m_bIsOutlineMoveable :1; bool m_bViewHasChanged :1; bool m_bIsImageListInitialized : 1; - bool m_bActiveDocModified :1; static bool bIsInDrag; diff --git a/sw/source/uibase/utlui/content.cxx b/sw/source/uibase/utlui/content.cxx index 7397e097015a..17f2a19c8997 100644 --- a/sw/source/uibase/utlui/content.cxx +++ b/sw/source/uibase/utlui/content.cxx @@ -803,7 +803,6 @@ SwContentTree::SwContentTree(vcl::Window* pParent, const ResId& rResId) , m_bIsOutlineMoveable(true) , m_bViewHasChanged(false) , m_bIsImageListInitialized(false) - , m_bActiveDocModified(false) , m_bIsKeySpace(false) { SetHelpId(HID_NAVIGATOR_TREELIST); @@ -1718,8 +1717,6 @@ void SwContentTree::Display( bool bActive ) sal_Int32 nDelta = pVScroll->GetThumbPos() - nOldScrollPos; ScrollOutputArea( (short)nDelta ); } - - m_bActiveDocModified = false; } void SwContentTree::Clear() @@ -2206,13 +2203,6 @@ void SwContentTree::SetConstantShell(SwWrtShell* pSh) void SwContentTree::Notify(SfxBroadcaster & rBC, SfxHint const& rHint) { - SfxSimpleHint const*const pHint(dynamic_cast<SfxSimpleHint const*>(&rHint)); - if (pHint && SFX_HINT_DOCCHANGED == pHint->GetId()) - { - m_bActiveDocModified = true; - return; - } - SfxViewEventHint const*const pVEHint( dynamic_cast<SfxViewEventHint const*>(&rHint)); SwXTextView* pDyingShell = nullptr; @@ -2425,11 +2415,8 @@ IMPL_LINK_NOARG_TYPED(SwContentTree, TimerUpdate, Timer *, void) else if( (m_bIsActive || (m_bIsConstant && pActShell == GetWrtShell())) && HasContentChanged()) { - if (!m_bIsActive || m_bActiveDocModified) - { // don't burn cpu and redraw and flicker if not modified - FindActiveTypeAndRemoveUserData(); - Display(true); - } + FindActiveTypeAndRemoveUserData(); + Display(true); } } else if(!pView && m_bIsActive && !m_bIsIdleClear) |