diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2022-05-18 18:25:07 +0200 |
---|---|---|
committer | Michael Stahl <michael.stahl@allotropia.de> | 2022-05-19 12:10:03 +0200 |
commit | cd733032151e0e06a49680edc180e695f2ca21ee (patch) | |
tree | bdff29236c207e9145071936399ba07d5a052731 | |
parent | 0342c45e2d464b95a5e9ff5267b2a3442fe8f4f0 (diff) |
svx: fix double-free if SvxShape of SwDrawVirtObj is disposed
First SvxShape::dispose() deletes it, then ~SwDrawFrameFormat() via
~SwDrawContact() calls SwDrawContact::RemoveAllVirtObjs() and deletes it
again.
Back in 2009, CWS dba32 (60698c8a619f219129dbeac7da1f962f3fa63f6a)
added this OSL_ENSURE, let's actually try to fix this now.
Change-Id: I5c391aa425aa75fb87cecccbf9e41c9f90196f9f
-rw-r--r-- | svx/source/unodraw/unoshape.cxx | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/svx/source/unodraw/unoshape.cxx b/svx/source/unodraw/unoshape.cxx index 3f07f5ab9a82..20b308e697e7 100644 --- a/svx/source/unodraw/unoshape.cxx +++ b/svx/source/unodraw/unoshape.cxx @@ -1316,10 +1316,6 @@ void SAL_CALL SvxShape::dispose() if ( pObject->IsInserted() && pObject->getSdrPageFromSdrObject() ) { - OSL_ENSURE( HasSdrObjectOwnership(), "SvxShape::dispose: is the below code correct?" ); - // normally, we are allowed to free the SdrObject only if we have its ownership. - // Why isn't this checked here? - SdrPage* pPage = pObject->getSdrPageFromSdrObject(); // delete the SdrObject from the page const size_t nCount = pPage->GetObjCount(); @@ -1328,7 +1324,10 @@ void SAL_CALL SvxShape::dispose() if ( pPage->GetObj( nNum ) == pObject ) { OSL_VERIFY( pPage->RemoveObject( nNum ) == pObject ); - bFreeSdrObject = true; + if (HasSdrObjectOwnership()) + { + bFreeSdrObject = true; + } break; } } |