diff options
author | Michael Stahl <mstahl@redhat.com> | 2016-11-24 14:18:05 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-28 11:22:21 +0000 |
commit | 09b714195bc61773c6021a78247478e86ee90d41 (patch) | |
tree | 43eccf304b9aab933885cad5224d3519ede06edd | |
parent | 32395df104106743e5599f14b19a9a887c1a78ec (diff) |
tdf#103788 sw: fix use-after-free in navigator dialog
The problem is that if SwContentTree::HasContentChanged() returns true,
it may have deleted the SwTypeNumber instances that are referenced in
SvTreeListEntry::pUserData, but it has not reset pUserData so those
pointers are now used to acceess deleted objects.
Also it looks like the HasContentChanged() detects additional conditions
that would not cause a modified event from the document but should still
cause a repaint, such as when the user moves the cursor between
headings.
Revert the optimization, it was a stupid idea.
(regression from 329742e6c9da7cd7848d92a6846e3d1249d8d9b4)
(cherry picked from commit cbdf4e007650cfda4f7808402e8e24ae66d45792)
Reviewed-on: https://gerrit.libreoffice.org/31194
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
(cherry picked from commit dbfa3841018672d8af8e9bf1bdb4caf6cdf0ce7d)
Change-Id: Idb5207e896b0638324fc41b7c214536be4ba864b
Reviewed-on: https://gerrit.libreoffice.org/31200
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
-rw-r--r-- | sw/source/uibase/inc/conttree.hxx | 1 | ||||
-rw-r--r-- | sw/source/uibase/utlui/content.cxx | 17 |
2 files changed, 2 insertions, 16 deletions
diff --git a/sw/source/uibase/inc/conttree.hxx b/sw/source/uibase/inc/conttree.hxx index e496137bf292..ddaf387e5d9c 100644 --- a/sw/source/uibase/inc/conttree.hxx +++ b/sw/source/uibase/inc/conttree.hxx @@ -95,7 +95,6 @@ class SwContentTree bool m_bIsOutlineMoveable :1; bool m_bViewHasChanged :1; bool m_bIsImageListInitialized : 1; - bool m_bActiveDocModified :1; static bool bIsInDrag; diff --git a/sw/source/uibase/utlui/content.cxx b/sw/source/uibase/utlui/content.cxx index 309304e2350b..84c6f1b7299d 100644 --- a/sw/source/uibase/utlui/content.cxx +++ b/sw/source/uibase/utlui/content.cxx @@ -803,7 +803,6 @@ SwContentTree::SwContentTree(vcl::Window* pParent, const ResId& rResId) , m_bIsOutlineMoveable(true) , m_bViewHasChanged(false) , m_bIsImageListInitialized(false) - , m_bActiveDocModified(false) , m_bIsKeySpace(false) { SetHelpId(HID_NAVIGATOR_TREELIST); @@ -1718,8 +1717,6 @@ void SwContentTree::Display( bool bActive ) sal_Int32 nDelta = pVScroll->GetThumbPos() - nOldScrollPos; ScrollOutputArea( (short)nDelta ); } - - m_bActiveDocModified = false; } void SwContentTree::Clear() @@ -2204,13 +2201,6 @@ void SwContentTree::SetConstantShell(SwWrtShell* pSh) void SwContentTree::Notify(SfxBroadcaster & rBC, SfxHint const& rHint) { - SfxSimpleHint const*const pHint(dynamic_cast<SfxSimpleHint const*>(&rHint)); - if (pHint && SFX_HINT_DOCCHANGED == pHint->GetId()) - { - m_bActiveDocModified = true; - return; - } - SfxViewEventHint const*const pVEHint( dynamic_cast<SfxViewEventHint const*>(&rHint)); SwXTextView* pDyingShell = nullptr; @@ -2423,11 +2413,8 @@ IMPL_LINK_NOARG_TYPED(SwContentTree, TimerUpdate, Timer *, void) else if( (m_bIsActive || (m_bIsConstant && pActShell == GetWrtShell())) && HasContentChanged()) { - if (!m_bIsActive || m_bActiveDocModified) - { // don't burn cpu and redraw and flicker if not modified - FindActiveTypeAndRemoveUserData(); - Display(true); - } + FindActiveTypeAndRemoveUserData(); + Display(true); } } else if(!pView && m_bIsActive && !m_bIsIdleClear) |