diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2021-05-21 12:20:28 +0200 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2021-05-26 11:49:48 +0200 |
| commit | de8cd48c3f6f18b21a374a1a6cc2325328d493db (patch) | |
| tree | ad51be48d05c735082ad77586d62e7b88b0ccdf1 /chart2 | |
| parent | 72211a4618bddc82c2adcb17b11db98039e8cf11 (diff) | |
sw: layout: fix footnote UAF on tdf132248-3.odt (also, tdf134127-1.odt)
Text frame 12 gets a follow 137 which gets a follow 138, and there's
a footnote at index 95.
When 138 is created, its mnOffest is 63 in SwTextFrame::SplitFrame()
so 138 gets its mbFootnote set and the footnote frame mpReference points
to 138 but then SwTextFrame::FormatAdjust() moves one line back and sets
the offset of 138 to 96.
Then SwTextFrame::CalcFollow() clears 138's mbFootnote due to lack of
footnotes starting from 96.
Later frame 138 is joined, but because its mbFootnote is false, the
footnote's mpReference continues to point to it, which leads to UAF in
SwFootnoteFrame::GetRef().
What's missing is that at the time when the offset of 138 is adjusted,
RemoveFootnote() must be called, as is already the case in another
branch of SwTextFrame::FormatAdjust(), since CVS initial import.
Not sure why this started to crash in crashtesting relatively recently.
Change-Id: Ic46019d34ff90d24d0f23effe8a6d54d6f197a71
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/115910
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 95a716f12a0dacdd5d80a6f3d98eadcc2f079fcf)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/115843
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'chart2')
0 files changed, 0 insertions, 0 deletions