diff options
author | Michael Stahl <mstahl@redhat.com> | 2017-09-13 10:48:38 +0200 |
---|---|---|
committer | Michael Stahl <mstahl@redhat.com> | 2017-09-13 11:09:38 +0200 |
commit | 88c84e71e2559ec6d0b4f8c5101a149daa4a2b2b (patch) | |
tree | 93df490d18b94c66f0aaddc12ed769dc2ce82289 /include/oox/vml | |
parent | b5368c913d8fe574ddaf2d5424ab48ffd0fefd56 (diff) |
tdf#112311 oox: fix UAF of std::shared_ptr
OOXMLFastContextHandlerShape::sendShape() deletes the parent context's
ShapeTypeContext::mrTypeModel.
It looks like the sendShape() can't be delayed because writerfilter
wants to import the v:textbox content into a text frame.
Keep the shape alive until the end of the containing context.
Not sure if it's going to process the v:fill element properly,
but at lest valgrind is happy.
(probably regression from CWS writerfilter32bugfixes01)
Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0
Diffstat (limited to 'include/oox/vml')
-rw-r--r-- | include/oox/vml/vmlshapecontainer.hxx | 8 | ||||
-rw-r--r-- | include/oox/vml/vmlshapecontext.hxx | 9 |
2 files changed, 9 insertions, 8 deletions
diff --git a/include/oox/vml/vmlshapecontainer.hxx b/include/oox/vml/vmlshapecontainer.hxx index 10c8e74094e0..ff39d5f7212c 100644 --- a/include/oox/vml/vmlshapecontainer.hxx +++ b/include/oox/vml/vmlshapecontainer.hxx @@ -61,10 +61,10 @@ public: Drawing& getDrawing() { return mrDrawing; } /** Creates and returns a new shape template object. */ - ShapeType& createShapeType(); + std::shared_ptr<ShapeType> createShapeType(); /** Creates and returns a new shape object of the specified type. */ template< typename ShapeT > - ShapeT& createShape(); + std::shared_ptr<ShapeT> createShape(); /** Final processing after import of the drawing fragment. */ void finalizeFragmentImport(); @@ -123,11 +123,11 @@ private: template< typename ShapeT > -ShapeT& ShapeContainer::createShape() +std::shared_ptr<ShapeT> ShapeContainer::createShape() { std::shared_ptr< ShapeT > xShape( new ShapeT( mrDrawing ) ); maShapes.push_back( xShape ); - return *xShape; + return xShape; } template< typename Functor > diff --git a/include/oox/vml/vmlshapecontext.hxx b/include/oox/vml/vmlshapecontext.hxx index f73055b3355f..7243684f6350 100644 --- a/include/oox/vml/vmlshapecontext.hxx +++ b/include/oox/vml/vmlshapecontext.hxx @@ -99,7 +99,7 @@ class ShapeTypeContext : public ShapeContextBase public: explicit ShapeTypeContext( ::oox::core::ContextHandler2Helper const & rParent, - ShapeType& rShapeType, + std::shared_ptr<ShapeType> const& pShapeType, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -113,6 +113,7 @@ private: OptValue< OUString > decodeFragmentPath( const AttributeList& rAttribs, sal_Int32 nToken ) const; private: + std::shared_ptr<ShapeType> m_pShapeType; ShapeTypeModel& mrTypeModel; }; @@ -122,7 +123,7 @@ class ShapeContext : public ShapeTypeContext public: explicit ShapeContext( ::oox::core::ContextHandler2Helper const & rParent, - ShapeBase& rShape, + std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -155,7 +156,7 @@ class GroupShapeContext : public ShapeContext public: explicit GroupShapeContext( ::oox::core::ContextHandler2Helper const & rParent, - GroupShape& rShape, + std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -172,7 +173,7 @@ public: explicit RectangleShapeContext( ::oox::core::ContextHandler2Helper const & rParent, const AttributeList& rAttribs, - RectangleShape& rShape ); + std::shared_ptr<RectangleShape> pShape); virtual ::oox::core::ContextHandlerRef onCreateContext( sal_Int32 nElement, const AttributeList& rAttribs ) override; |