svx: fix double-free if SvxShape of SwDrawVirtObj is disposed

First SvxShape::dispose() deletes it, then ~SwDrawFrameFormat() via
~SwDrawContact() calls SwDrawContact::RemoveAllVirtObjs() and deletes it
again.

Back in 2009, CWS dba32 (60698c8a619f219129dbeac7da1f962f3fa63f6a)
added this OSL_ENSURE, let's actually try to fix this now.

Change-Id: I5c391aa425aa75fb87cecccbf9e41c9f90196f9f

1 files changed, 4 insertions, 5 deletions

diff --git a/svx/source/unodraw/unoshape.cxx b/svx/source/unodraw/unoshape.cxx
index 3f07f5ab9a82..20b308e697e7 100644
--- a/svx/source/unodraw/unoshape.cxx
+++ b/svx/source/unodraw/unoshape.cxx
@@ -1316,10 +1316,6 @@ void SAL_CALL SvxShape::dispose()
 
         if ( pObject->IsInserted() && pObject->getSdrPageFromSdrObject() )
         {
-            OSL_ENSURE( HasSdrObjectOwnership(), "SvxShape::dispose: is the below code correct?" );
-                // normally, we are allowed to free the SdrObject only if we have its ownership.
-                // Why isn't this checked here?
-
             SdrPage* pPage = pObject->getSdrPageFromSdrObject();
             // delete the SdrObject from the page
             const size_t nCount = pPage->GetObjCount();
@@ -1328,7 +1324,10 @@ void SAL_CALL SvxShape::dispose()
                 if ( pPage->GetObj( nNum ) == pObject )
                 {
                     OSL_VERIFY( pPage->RemoveObject( nNum ) == pObject );
-                    bFreeSdrObject = true;
+                    if (HasSdrObjectOwnership())
+                    {
+                        bFreeSdrObject = true;
+                    }
                     break;
                 }
             }