diff options
| author | Michael Stahl <mstahl@redhat.com> | 2016-11-24 14:18:05 +0100 |
|---|---|---|
| committer | Michael Stahl <mstahl@redhat.com> | 2016-11-25 13:00:49 +0000 |
| commit | dbfa3841018672d8af8e9bf1bdb4caf6cdf0ce7d (patch) | |
| tree | 32186821ec9fd42d17aa7c748b663ed38c545c7b | |
| parent | 4f8eff151e8ec71eb1a5b6757d9b17d3224d67ca (diff) | |
tdf#103788 sw: fix use-after-free in navigator dialog
The problem is that if SwContentTree::HasContentChanged() returns true,
it may have deleted the SwTypeNumber instances that are referenced in
SvTreeListEntry::pUserData, but it has not reset pUserData so those
pointers are now used to acceess deleted objects.
Also it looks like the HasContentChanged() detects additional conditions
that would not cause a modified event from the document but should still
cause a repaint, such as when the user moves the cursor between
headings.
Revert the optimization, it was a stupid idea.
(regression from 329742e6c9da7cd7848d92a6846e3d1249d8d9b4)
Change-Id: Idb5207e896b0638324fc41b7c214536be4ba864b
(cherry picked from commit cbdf4e007650cfda4f7808402e8e24ae66d45792)
Reviewed-on: https://gerrit.libreoffice.org/31194
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
| -rw-r--r-- | sw/source/uibase/inc/conttree.hxx | 1 | ||||
| -rw-r--r-- | sw/source/uibase/utlui/content.cxx | 16 |
2 files changed, 2 insertions, 15 deletions
diff --git a/sw/source/uibase/inc/conttree.hxx b/sw/source/uibase/inc/conttree.hxx index 525d11fe4fd2..4dd2bf4db31a 100644 --- a/sw/source/uibase/inc/conttree.hxx +++ b/sw/source/uibase/inc/conttree.hxx @@ -96,7 +96,6 @@ class SwContentTree bool m_bIsOutlineMoveable :1; bool m_bViewHasChanged :1; bool m_bIsImageListInitialized : 1; - bool m_bActiveDocModified :1; static bool bIsInDrag; diff --git a/sw/source/uibase/utlui/content.cxx b/sw/source/uibase/utlui/content.cxx index 3ef1c67f0b6e..8493feca71c7 100644 --- a/sw/source/uibase/utlui/content.cxx +++ b/sw/source/uibase/utlui/content.cxx @@ -798,7 +798,6 @@ SwContentTree::SwContentTree(vcl::Window* pParent, SwNavigationPI* pDialog) , m_bIsOutlineMoveable(true) , m_bViewHasChanged(false) , m_bIsImageListInitialized(false) - , m_bActiveDocModified(false) , m_bIsKeySpace(false) { SetHelpId(HID_NAVIGATOR_TREELIST); @@ -1709,8 +1708,6 @@ void SwContentTree::Display( bool bActive ) sal_Int32 nDelta = pVScroll->GetThumbPos() - nOldScrollPos; ScrollOutputArea( (short)nDelta ); } - - m_bActiveDocModified = false; } void SwContentTree::Clear() @@ -2196,12 +2193,6 @@ void SwContentTree::SetConstantShell(SwWrtShell* pSh) void SwContentTree::Notify(SfxBroadcaster & rBC, SfxHint const& rHint) { - if (SFX_HINT_DOCCHANGED == rHint.GetId()) - { - m_bActiveDocModified = true; - return; - } - SfxViewEventHint const*const pVEHint(dynamic_cast<SfxViewEventHint const*>(&rHint)); SwXTextView* pDyingShell = nullptr; if (m_pActiveShell && pVEHint && pVEHint->GetEventName() == "OnViewClosed") @@ -2409,11 +2400,8 @@ IMPL_LINK_NOARG(SwContentTree, TimerUpdate, Timer *, void) else if( (m_bIsActive || (m_bIsConstant && pActShell == GetWrtShell())) && HasContentChanged()) { - if (!m_bIsActive || m_bActiveDocModified) - { // don't burn cpu and redraw and flicker if not modified - FindActiveTypeAndRemoveUserData(); - Display(true); - } + FindActiveTypeAndRemoveUserData(); + Display(true); } } else if(!pView && m_bIsActive && !m_bIsIdleClear) |