tdf#134626 sw: fix UBSan warning about deleted SwTextFormatColl

sw/source/core/txtnode/ndtxt.cxx:5254:17: runtime error: downcast of address 0x612000a321c0 which does not point to an object of type 'const SwTextFormatColl'
0x612000a321c0: note: object is of type 'SwFormat'
00 00 00 00  50 4c 3c fa bb 7f 00 00  80 b8 ba 05 50 61 00 00  c0 81 5f 02 20 61 00 00  c0 b6 b0 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'SwFormat'
0 in SwTextNode::TriggerNodeUpdate(sw::LegacyModifyHint const&) at sw/source/core/txtnode/ndtxt.cxx:5254:17
1 in SwTextNode::SwClientNotify(SwModify const&, SfxHint const&) at sw/source/core/txtnode/ndtxt.cxx:5306:9
2 in SwClient::SwClientNotifyCall(SwModify const&, SfxHint const&) at sw/inc/calbck.hxx:161:80
3 in SwFormat::~SwFormat() at sw/source/core/attr/format.cxx:240:22
4 in SwFormatColl::~SwFormatColl() at sw/inc/fmtcol.hxx:35:26
5 in SwTextFormatColl::~SwTextFormatColl() at sw/inc/fmtcol.hxx:56:20
6 in SwTextFormatColl::~SwTextFormatColl() at sw/inc/fmtcol.hxx:56:20
7 in SwDoc::DelTextFormatColl(unsigned long, bool) at sw/source/core/doc/docfmt.cxx:983:5
8 in SwDoc::DelTextFormatColl(SwTextFormatColl const*, bool) at sw/source/core/doc/docfmt.cxx:991:5
9 in SwUndoTextFormatCollCreate::Delete() at sw/source/core/undo/SwUndoFmt.cxx:203:12
10 in SwUndoFormatCreate::UndoImpl(sw::UndoRedoContext&) at sw/source/core/undo/SwUndoFmt.cxx:61:9
11 in SwUndo::UndoWithContext(SfxUndoContext&) at sw/source/core/undo/undobj.cxx:235:5

Any SwUndoFormatCreate that is added during CopyImplImpl() must go before
SwUndoCopyDoc on the undo stack.

SwNodes::CopyNodes() is pretty much the only thing of substance there
that runs with Undo enabled; CopyBookmarks() and lcl_DeleteRedlines()
and CopyFlyInFlyImpl() have it disabled.

Let's see if the fix is really this simple...

Change-Id: I4d586923f91a02861e9a4bd40d22701ceb0a0499
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107522
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@cib.de>

2 files changed, 4 insertions, 1 deletions

diff --git a/sw/source/core/doc/DocumentContentOperationsManager.cxx b/sw/source/core/doc/DocumentContentOperationsManager.cxx
index 4d140fcd5b00..ea18f8717509 100644
--- a/sw/source/core/doc/DocumentContentOperationsManager.cxx
+++ b/sw/source/core/doc/DocumentContentOperationsManager.cxx
@@ -4725,7 +4725,6 @@ bool DocumentContentOperationsManager::CopyImplImpl(SwPaM& rPam, SwPosition& rPo
     if (rDoc.GetIDocumentUndoRedo().DoesUndo())
     {
         pUndo = new SwUndoCpyDoc(*pCopyPam);
-        rDoc.GetIDocumentUndoRedo().AppendUndo( std::unique_ptr<SwUndo>(pUndo) );
         pFlysAtInsPos = pUndo->GetFlysAnchoredAt();
     }
     else
@@ -5152,6 +5151,8 @@ bool DocumentContentOperationsManager::CopyImplImpl(SwPaM& rPam, SwPosition& rPo
     // If Undo is enabled, store the inserted area
     if (rDoc.GetIDocumentUndoRedo().DoesUndo())
     {
+        // append it after styles have been copied when copying nodes
+        rDoc.GetIDocumentUndoRedo().AppendUndo( std::unique_ptr<SwUndo>(pUndo) );
         pUndo->SetInsertRange(*pCopyPam, true, nDeleteTextNodes);
     }
 
diff --git a/sw/source/core/txtnode/ndtxt.cxx b/sw/source/core/txtnode/ndtxt.cxx
index 4172d573e39d..a41c9bc19b7e 100644
--- a/sw/source/core/txtnode/ndtxt.cxx
+++ b/sw/source/core/txtnode/ndtxt.cxx
@@ -5248,6 +5248,8 @@ void SwTextNode::TriggerNodeUpdate(const sw::LegacyModifyHint& rHint)
             && GetRegisteredIn() == static_cast<const SwFormatChg*>(pNewValue)->pChangedFormat
             && GetNodes().IsDocNodes() )
     {
+        assert(dynamic_cast<SwTextFormatColl const*>(static_cast<const SwFormatChg*>(pOldValue)->pChangedFormat));
+        assert(dynamic_cast<SwTextFormatColl const*>(static_cast<const SwFormatChg*>(pNewValue)->pChangedFormat));
         ChgTextCollUpdateNum(
                 static_cast<const SwTextFormatColl*>(static_cast<const SwFormatChg*>(pOldValue)->pChangedFormat),
                 static_cast<const SwTextFormatColl*>(static_cast<const SwFormatChg*>(pNewValue)->pChangedFormat) );