diff options
| author | Miklos Vajna <vmiklos@collabora.com> | 2020-03-31 15:10:52 +0200 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.com> | 2020-03-31 16:46:10 +0200 |
| commit | 10036bd52e094b5c9b02ff5142829f0825a20571 (patch) | |
| tree | 48fe0e3c0014a21b2ed89b051f59fb1a691a0d84 | |
| parent | 0dd48d1a9a716456ff1ebe67e19881ad2f56939b (diff) | |
sw: fix use-after-free when moving multiple tables to a previous page
Regression from commit e4da634b983052f300cd0e9b2bbaa60eb02c1b28 (sw: fix
moving more than 20 table frames to a previous page, 2020-03-30), asan
found a heap-use-after-free during CppunitTest_sw_ooxmlexport5
CPPUNIT_TEST_NAME=testOldComplexMergeTableInTable, the follow frame is
deleted like this:
#1 in SwTabFrame::~SwTabFrame() at sw/source/core/layout/tabfrm.cxx:145:1 (instdir/program/libswlo.so +0xec98ba5)
#2 in SwFrame::DestroyFrame(SwFrame*) at sw/source/core/layout/ssfrm.cxx:389:9 (instdir/program/libswlo.so +0xec8495f)
#3 in SwTabFrame::Join() at sw/source/core/layout/tabfrm.cxx:1390:9 (instdir/program/libswlo.so +0xecb6088)
#4 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:1865:9 (instdir/program/libswlo.so +0xecbc1f6)
#5 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:370:5 (instdir/program/libswlo.so +0xe519919)
#6 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1789:37 (instdir/program/libswlo.so +0xed8424e)
#7 in SwLayAction::FormatLayoutTab(SwTabFrame*, bool) at sw/source/core/layout/layact.cxx:1485:15 (instdir/program/libswlo.so +0xe897ea9)
Fix the problem by not moving multiple tables to a previous page in one
iteration when the table is a follow one.
Change-Id: I443240b6153b74d6def97140c516d7cf7a2d35e4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91425
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins
| -rw-r--r-- | sw/source/core/layout/layact.cxx | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx index c4c5dc92c225..bf73d951705a 100644 --- a/sw/source/core/layout/layact.cxx +++ b/sw/source/core/layout/layact.cxx @@ -1370,6 +1370,17 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa // page, in which case it looses its next. pNext = pLow->GetNext(); + if (pNext && pNext->IsTabFrame()) + { + auto pTab = static_cast<SwTabFrame*>(pNext); + if (pTab->IsFollow()) + { + // The next frame is a follow of the previous frame, SwTabFrame::Join() will + // delete this one as part of formatting, so forget about it. + pNext = nullptr; + } + } + bTabChanged |= FormatLayoutTab( static_cast<SwTabFrame*>(pLow), bAddRect ); --m_nTabLevel; } |