diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2022-05-22 14:50:55 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-05-24 09:57:54 +0200 |
| commit | 4dcc03681395a894adb0179045fc4be2339a1f10 (patch) | |
| tree | 61d20a3a9f9dbc7a4ec651586a7b06c2a59d1c94 | |
| parent | 27ff58ddd6e48d9247f8befb16d1ca8ddddcb750 (diff) | |
starmath: fix real use-after-free detected by GCC 12
In file included from starmath/inc/mathml/iterator.hxx:12,
from starmath/source/mathml/iterator.cxx:10:
In member function ‘SmMlElement* SmMlElement::getParentElement()’,
inlined from ‘void mathml::SmMlIteratorBottomToTop(SmMlElement*, runType, void*) [with runType = void (*)(SmMlElement*, void*)]’ at starmath/inc/mathml/iterator.hxx:43:39,
inlined from ‘void mathml::SmMlIteratorFree(SmMlElement*)’ at starmath/source/mathml/iterator.cxx:57:28:
starmath/inc/mathml/element.hxx:263:46: error: pointer ‘pCurrent’ used after ‘void operator delete(void*, std::size_t)’ [-Werror=use-after-free]
263 | SmMlElement* getParentElement() { return m_aParentElement; };
| ^~~~~~~~~~~~~~~~
In function ‘void mathml::deleteElement(SmMlElement*, void*)’,
inlined from ‘void mathml::deleteElement(SmMlElement*, void*)’ at starmath/source/mathml/iterator.cxx:19:20,
inlined from ‘void mathml::SmMlIteratorBottomToTop(SmMlElement*, runType, void*) [with runType = void (*)(SmMlElement*, void*)]’ at starmath/inc/mathml/iterator.hxx:65:21,
inlined from ‘void mathml::SmMlIteratorFree(SmMlElement*)’ at starmath/source/mathml/iterator.cxx:57:28:
starmath/source/mathml/iterator.cxx:19:77: note: call to ‘void operator delete(void*, std::size_t)’ here
19 | static inline void deleteElement(SmMlElement* aSmMlElement, void*) { delete aSmMlElement; }
| ^~~~~~~~~~~~
Change-Id: I09acfe3f7e90bd7f919cfba161f72bdd7a8da70a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134742
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 32c43ee75c094ffe3c34f7a713aa252479515ad0)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134775
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | starmath/source/mathml/iterator.cxx | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/starmath/source/mathml/iterator.cxx b/starmath/source/mathml/iterator.cxx index 481ff799689c..489cbe8ebc05 100644 --- a/starmath/source/mathml/iterator.cxx +++ b/starmath/source/mathml/iterator.cxx @@ -56,7 +56,11 @@ void SmMlIteratorFree(SmMlElement* pMlElementTree) { if (pMlElementTree == nullptr) return; - SmMlIteratorBottomToTop(pMlElementTree, deleteElement, nullptr); + for (size_t i = 0; i < pMlElementTree->getSubElementsCount(); ++i) + { + SmMlIteratorFree(pMlElementTree->getSubElement(i)); + } + deleteElement(pMlElementTree, nullptr); } SmMlElement* SmMlIteratorCopy(SmMlElement* pMlElementTree) |