sw: fix use after free on tdf117215-1.odt

Move the fix from 6d0ea082889c89eb8b408779f2de08da7441ff54 to
SwFlyFrame::DestroyImpl() so we unregister every SwFlyFrame.

==1550==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000383f56 at pc 0x7efcd70d5ab9 bp 0x7ffeb7ac7c40 sp 0x7ffeb7ac7c38
WRITE of size 1 at 0x615000383f56 thread T0
    0 SwAnchoredObject::SetTmpConsiderWrapInfluence(bool) sw/source/core/layout/anchoredobject.cxx:743:32
    1 SwObjsMarkedAsTmpConsiderWrapInfluence::Clear() sw/source/core/layout/objstmpconsiderwrapinfl.cxx:53:23
    2 SwLayouter::ClearObjsTmpConsiderWrapInfluence(SwDoc const&) sw/source/core/layout/layouter.cxx:387:84
    3 sw::DocumentLayoutManager::ClearSwLayouterEntries() sw/source/core/doc/DocumentLayoutManager.cxx:497:5
    4 sw::DocumentStateManager::SetModified() sw/source/core/doc/DocumentStateManager.cxx:45:39
    5 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3942:36

0x615000383f56 is located 342 bytes inside of 504-byte region [0x615000383e00,0x615000383ff8)
freed by thread T0 here:
    1 SwFlyAtContentFrame::~SwFlyAtContentFrame() sw/source/core/inc/flyfrms.hxx:159:7
    2 SwFrame::DestroyFrame(SwFrame*) sw/source/core/layout/ssfrm.cxx:389:9
    3 SwFrameFormat::DelFrames() sw/source/core/layout/atrfrm.cxx:2624:17
    4 SwUndoFlyBase::DelFly(SwDoc*) sw/source/core/undo/undobj1.cxx:161:19
    5 SwUndoDelLayFormat::SwUndoDelLayFormat(SwFrameFormat*) sw/source/core/undo/undobj1.cxx:403:5
    6 SwHistoryTextFlyCnt::SwHistoryTextFlyCnt(SwFrameFormat*) sw/source/core/undo/rolbck.cxx:538:20
    7 SwHistory::Add(SwFlyFrameFormat&, unsigned short&) sw/source/core/undo/rolbck.cxx:1083:50
    8 SwUndoSaveContent::DelContentIndex(SwPosition const&, SwPosition const&, DelContentType) sw/source/core/undo/undobj.cxx:1020:39
    9 SwUndoDelete::SwUndoDelete(SwPaM&, bool, bool) sw/source/core/undo/undel.cxx:229:9
    11 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3939:55

Change-Id: Ia0c28c9d5792615cbb566e502374efd0f4056daf
Reviewed-on: https://gerrit.libreoffice.org/75857
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit dea72ef111ee8a0b1b178f8cd48757514d5ca831)
Reviewed-on: https://gerrit.libreoffice.org/75941
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 4b9324b93dcbd72c8c8949309d45790dd8f7d5fd)
Reviewed-on: https://gerrit.libreoffice.org/76306
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>

2 files changed, 3 insertions, 1 deletions

diff --git a/sw/source/core/layout/fly.cxx b/sw/source/core/layout/fly.cxx
index 74a2f6201e4b..f23e95acdcde 100644
--- a/sw/source/core/layout/fly.cxx
+++ b/sw/source/core/layout/fly.cxx
@@ -265,6 +265,8 @@ void SwFlyFrame::DestroyImpl()
 
     if( GetFormat() && !GetFormat()->GetDoc()->IsInDtor() )
     {
+        ClearTmpConsiderWrapInfluence(); // remove this from SwLayouter
+
         // OD 2004-01-19 #110582#
         Unchain();
 
diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx
index 9506b8dd13b4..68a8a422cbc7 100644
--- a/sw/source/core/layout/ssfrm.cxx
+++ b/sw/source/core/layout/ssfrm.cxx
@@ -493,7 +493,6 @@ void SwLayoutFrame::DestroyImpl()
                 const size_t nCnt = pFrame->GetDrawObjs()->size();
                 // #i28701#
                 SwAnchoredObject* pAnchoredObj = (*pFrame->GetDrawObjs())[0];
-                pAnchoredObj->ClearTmpConsiderWrapInfluence();
                 if (SwFlyFrame* pFlyFrame = dynamic_cast<SwFlyFrame*>(pAnchoredObj))
                 {
                     SwFrame::DestroyFrame(pFlyFrame);
@@ -501,6 +500,7 @@ void SwLayoutFrame::DestroyImpl()
                 }
                 else
                 {
+                    pAnchoredObj->ClearTmpConsiderWrapInfluence();
                     SdrObject* pSdrObj = pAnchoredObj->DrawObj();
                     SwDrawContact* pContact =
                             static_cast<SwDrawContact*>(pSdrObj->GetUserCall());