diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2018-03-21 18:01:50 +0100 |
|---|---|---|
| committer | Stephan Bergmann <sbergman@redhat.com> | 2018-03-21 18:01:50 +0100 |
| commit | c75705b2306d3fd41e71eb4613773b62bdaa9ca5 (patch) | |
| tree | d90a8ca20d34477bc368acc78d6a60498dab7e74 | |
| parent | fb29b8262488d045a926504725669a362bacb5bb (diff) | |
Fix lifetime of referenced-by-reference EnhancedCustomShape2d
...that is created as argument to
EnhancedCustomShape::FunctionParser::parseFunction (and referenced from data
reachable from aExpressNode), but still referenced during following
aExpressNode->fillNode call. Reintroduce the aCustoShape2d variable that had
been removed with 86c4672f4600daf19238ef25377406f445d9453a "OperationSmiley:
Secured quite some places using CustomShape", causing the regression that in
UBSan builds e.g. CppunitTest_sc_subsequent_export_test would fail with
> /svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx:261:57: runtime error: member call on address 0x2b1295491180 which does not point to an object of type 'EnhancedCustomShape2d'
> 0x2b1295491180: note: object is of type 'SfxItemSet'
> 1a 04 00 01 10 99 42 cb 12 2b 00 00 10 2d 8f 00 40 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ^~~~~~~~~~~~~~~~~~~~~~~
> vptr for 'SfxItemSet'
> #0 0x2b131efeb12d in (anonymous namespace)::EnumValueExpression::fillNode(std::__debug::vector<EnhancedCustomShapeEquation, std::allocator<EnhancedCustomShapeEquation> >&, EnhancedCustomShape::ExpressionNode*, unsigned int) /svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx:261:57
> #1 0x2b131f01f061 in (anonymous namespace)::BinaryFunctionExpression::fillNode(std::__debug::vector<EnhancedCustomShapeEquation, std::allocator<EnhancedCustomShapeEquation> >&, EnhancedCustomShape::ExpressionNode*, unsigned int) /svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx:632:40
> #2 0x2b12e0915a5c in ConvertEnhancedCustomShapeEquation(SdrObjCustomShape const&, std::__debug::vector<EnhancedCustomShapeEquation, std::allocator<EnhancedCustomShapeEquation> >&, std::__debug::vector<int, std::allocator<int> >&) /filter/source/msfilter/escherex.cxx:2426:62
[...]
when accessing the already-dead EnhancedCustomShape2d object.
Change-Id: I8f3e598f81e8e01e2505483437025ddd4cee2ec9
| -rw-r--r-- | filter/source/msfilter/escherex.cxx | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/filter/source/msfilter/escherex.cxx b/filter/source/msfilter/escherex.cxx index 57b18c443f15..0eb9efe66e86 100644 --- a/filter/source/msfilter/escherex.cxx +++ b/filter/source/msfilter/escherex.cxx @@ -2416,12 +2416,13 @@ void ConvertEnhancedCustomShapeEquation( sal_Int32 i; for ( i = 0; i < nEquationSourceCount; i++ ) { + EnhancedCustomShape2d aCustoShape2d( + const_cast< SdrObjCustomShape& >(rSdrObjCustomShape)); try { std::shared_ptr< EnhancedCustomShape::ExpressionNode > aExpressNode( EnhancedCustomShape::FunctionParser::parseFunction( - sEquationSource[ i ], - const_cast< SdrObjCustomShape& >(rSdrObjCustomShape))); + sEquationSource[ i ], aCustoShape2d)); drawing::EnhancedCustomShapeParameter aPara( aExpressNode->fillNode( rEquations, nullptr, 0 ) ); if ( aPara.Type != drawing::EnhancedCustomShapeParameterType::EQUATION ) { |