diff options
| author | Miklos Vajna <vmiklos@collabora.com> | 2020-09-30 16:48:27 +0200 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.com> | 2021-03-31 08:35:48 +0200 |
| commit | b7812468120c8618c62ef8cfbf061528f55e4da3 (patch) | |
| tree | 1f2603ad109cacdd96644ca8feaa0b2f8183a1c0 /sw | |
| parent | 833de9c3dbf52adaa2e62d0e5f624dce9ec0113d (diff) | |
sw: fix heap-use-after-free in the UnoActionContext dtor
When lockControllers() is followed by close() + dispose(), but no match
unlock first:
==8514==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190002d1b58 at pc 0x7f48b13f5b85 bp 0x7fff557d98c0 sp 0x7fff557d98b8
...
#3 0x7f48b138beca in SwDoc::getIDocumentLayoutAccess() /sw/source/core/doc/doc.cxx:412:12
#4 0x7f48b58db224 in UnoActionContext::~UnoActionContext() /sw/source/core/unocore/unoobj2.cxx:200:49
...
#15 0x7f48b841c484 in SwXTextDocument::~SwXTextDocument() /sw/source/uibase/uno/unotxdoc.cxx:439:1
freed by thread T0 here:
#1 0x7f48b1388a26 in SwDoc::release() /sw/source/core/doc/doc.cxx:118:9
...
#17 0x7f48d15a40e5 in SfxBaseModel::dispose() /sfx2/source/doc/sfxbasemodel.cxx:755:13
#18 0x7f48b8429a48 in SwXTextDocument::dispose() /sw/source/uibase/uno/unotxdoc.cxx:586:19
(cherry picked from commit e08afec61aef62dd4f949ca7e1ffcc70d437e525)
Change-Id: I39bf65e43c12ce5ee49bdedeb1673b934ca21106
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/CppunitTest_sw_uibase_uno.mk | 74 | ||||
| -rw-r--r-- | sw/Module_sw.mk | 1 | ||||
| -rw-r--r-- | sw/qa/uibase/uno/uno.cxx | 36 | ||||
| -rw-r--r-- | sw/source/uibase/uno/unotxdoc.cxx | 4 |
4 files changed, 115 insertions, 0 deletions
diff --git a/sw/CppunitTest_sw_uibase_uno.mk b/sw/CppunitTest_sw_uibase_uno.mk new file mode 100644 index 000000000000..36c54d04db33 --- /dev/null +++ b/sw/CppunitTest_sw_uibase_uno.mk @@ -0,0 +1,74 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +#************************************************************************* +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +#************************************************************************* + +$(eval $(call gb_CppunitTest_CppunitTest,sw_uibase_uno)) + +$(eval $(call gb_CppunitTest_use_common_precompiled_header,sw_uibase_uno)) + +$(eval $(call gb_CppunitTest_add_exception_objects,sw_uibase_uno, \ + sw/qa/uibase/uno/uno \ +)) + +$(eval $(call gb_CppunitTest_use_libraries,sw_uibase_uno, \ + comphelper \ + cppu \ + cppuhelper \ + editeng \ + sal \ + sfx \ + svl \ + svx \ + svxcore \ + sw \ + swqahelper \ + test \ + unotest \ + utl \ + vcl \ +)) + +$(eval $(call gb_CppunitTest_use_externals,sw_uibase_uno,\ + boost_headers \ + libxml2 \ +)) + +$(eval $(call gb_CppunitTest_set_include,sw_uibase_uno,\ + -I$(SRCDIR)/sw/inc \ + -I$(SRCDIR)/sw/source/core/inc \ + -I$(SRCDIR)/sw/source/uibase/inc \ + -I$(SRCDIR)/sw/qa/inc \ + $$(INCLUDE) \ +)) + +$(eval $(call gb_CppunitTest_use_api,sw_uibase_uno,\ + udkapi \ + offapi \ + oovbaapi \ +)) + +$(eval $(call gb_CppunitTest_use_ure,sw_uibase_uno)) +$(eval $(call gb_CppunitTest_use_vcl,sw_uibase_uno)) + +$(eval $(call gb_CppunitTest_use_rdb,sw_uibase_uno,services)) + +$(eval $(call gb_CppunitTest_use_custom_headers,sw_uibase_uno,\ + officecfg/registry \ +)) + +$(eval $(call gb_CppunitTest_use_configuration,sw_uibase_uno)) + +$(eval $(call gb_CppunitTest_use_uiconfigs,sw_uibase_uno, \ + modules/swriter \ +)) + +$(eval $(call gb_CppunitTest_use_more_fonts,sw_uibase_uno)) + +# vim: set noet sw=4 ts=4: diff --git a/sw/Module_sw.mk b/sw/Module_sw.mk index 653f97335f92..723c26f53e40 100644 --- a/sw/Module_sw.mk +++ b/sw/Module_sw.mk @@ -111,6 +111,7 @@ $(eval $(call gb_Module_add_slowcheck_targets,sw,\ CppunitTest_sw_uibase_shells \ CppunitTest_sw_uibase_dochdl \ CppunitTest_sw_uibase_frmdlg \ + CppunitTest_sw_uibase_uno \ CppunitTest_sw_core_accessibilitycheck \ CppunitTest_sw_core_layout \ CppunitTest_sw_core_frmedt \ diff --git a/sw/qa/uibase/uno/uno.cxx b/sw/qa/uibase/uno/uno.cxx new file mode 100644 index 000000000000..23c1829ab7de --- /dev/null +++ b/sw/qa/uibase/uno/uno.cxx @@ -0,0 +1,36 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* + * This file is part of the LibreOffice project. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +#include <swmodeltestbase.hxx> + +#include <com/sun/star/util/XCloseable.hpp> + +/// Covers sw/source/uibase/uno/ fixes. +class SwUibaseUnoTest : public SwModelTestBase +{ +}; + +CPPUNIT_TEST_FIXTURE(SwUibaseUnoTest, testLockControllers) +{ + mxComponent = loadFromDesktop("private:factory/swriter", "com.sun.star.text.TextDocument"); + { + uno::Reference<frame::XModel> xModel(mxComponent, uno::UNO_QUERY_THROW); + xModel->lockControllers(); + } + { + uno::Reference<util::XCloseable> xCloseable(mxComponent, uno::UNO_QUERY_THROW); + xCloseable->close(false); + } + // Without the accompanying fix in place, this test would have crashed. + mxComponent.clear(); +} + +CPPUNIT_PLUGIN_IMPLEMENT(); + +/* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/sw/source/uibase/uno/unotxdoc.cxx b/sw/source/uibase/uno/unotxdoc.cxx index b65386a7c392..63a5a86941e7 100644 --- a/sw/source/uibase/uno/unotxdoc.cxx +++ b/sw/source/uibase/uno/unotxdoc.cxx @@ -583,6 +583,10 @@ void SwXTextDocument::disconnectController(const Reference< frame::XController > void SwXTextDocument::dispose() { + // Delete UnoActionContexts before deleting the SwDoc, as the first has unowned pointers to the + // second. + maActionArr.clear(); + SfxBaseModel::dispose(); } |