From ee8c90c469c2caeca24a9621847ec796d011f3bf Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 24 Apr 2019 20:36:50 +0100
Subject: ubsan: use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I1a3396d434f6cc5bb615bcb2fe06a819bc11c013
Reviewed-on: https://gerrit.libreoffice.org/71256
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 sw/source/core/inc/frame.hxx    | 15 ++-------------
 sw/source/core/layout/ssfrm.cxx | 30 +++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 14 deletions(-)

(limited to 'sw/source')

diff --git a/sw/source/core/inc/frame.hxx b/sw/source/core/inc/frame.hxx
index 6e0d653690c4..ab1047d0348f 100644
--- a/sw/source/core/inc/frame.hxx
+++ b/sw/source/core/inc/frame.hxx
@@ -1237,19 +1237,8 @@ public:
     //Flag pFrame for SwFrameDeleteGuard lifetime that we shouldn't delete
     //it in e.g. SwSectionFrame::MergeNext etc because we will need it
     //again after the SwFrameDeleteGuard dtor
-    explicit SwFrameDeleteGuard(SwFrame* pFrame)
-        : m_pForbidFrame((pFrame && !pFrame->IsDeleteForbidden()) ?
-            pFrame : nullptr)
-    {
-        if (m_pForbidFrame)
-            m_pForbidFrame->ForbidDelete();
-    }
-
-    ~SwFrameDeleteGuard()
-    {
-        if (m_pForbidFrame)
-            m_pForbidFrame->AllowDelete();
-    }
+    explicit SwFrameDeleteGuard(SwFrame* pFrame);
+    ~SwFrameDeleteGuard();
 };
 
 typedef long (SwFrame:: *SwFrameGet)() const;
diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx
index 741b942c6850..9e496a1bd2ec 100644
--- a/sw/source/core/layout/ssfrm.cxx
+++ b/sw/source/core/layout/ssfrm.cxx
@@ -468,6 +468,33 @@ void SwTextFrame::RegisterToNode(SwTextNode & rNode, bool const isForceNodeAsFir
     }
 }
 
+//Flag pFrame for SwFrameDeleteGuard lifetime that we shouldn't delete
+//it in e.g. SwSectionFrame::MergeNext etc because we will need it
+//again after the SwFrameDeleteGuard dtor
+SwFrameDeleteGuard::SwFrameDeleteGuard(SwFrame* pFrame)
+    : m_pForbidFrame((pFrame && !pFrame->IsDeleteForbidden()) ? pFrame : nullptr)
+{
+    if (m_pForbidFrame)
+    {
+        m_pForbidFrame->ForbidDelete();
+    }
+}
+
+SwFrameDeleteGuard::~SwFrameDeleteGuard()
+{
+    if (m_pForbidFrame)
+    {
+        const bool bLogicErrorThrown = !m_pForbidFrame->IsDeleteForbidden();
+        if (bLogicErrorThrown)
+        {
+            // see testForcepoint80
+            SwFrame::DestroyFrame(m_pForbidFrame);
+            return;
+        }
+        m_pForbidFrame->AllowDelete();
+    }
+}
+
 void SwLayoutFrame::DestroyImpl()
 {
     while (!m_VertPosOrientFramesFor.empty())
@@ -527,7 +554,8 @@ void SwLayoutFrame::DestroyImpl()
                 pFrame->AllowDelete();
                 bFatalError = true;
             }
-            SwFrame::DestroyFrame(pFrame);
+            else
+                SwFrame::DestroyFrame(pFrame);
             pFrame = m_pLower;
         }
 
-- 
cgit v1.2.3