Avoid use after free from within StatusBar::dispose

Valgrind reveals that in Writer doing "Table - Insert Table... - Insert" (so the table-related toolbar appears at the bottom of the document window), then "File - Exit LibreOffice - Don't Save" causes > Invalid read of size 8 > at 0xE87CA6C: std::__cxx1998::vector<ImplStatusItem*, std::allocator<ImplStatusItem*> >::size() const (/usr/lib/gcc/x86_64-redhat-linux/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:656) > by 0xE87B09F: StatusBar::GetItemCount() const (/vcl/source/window/status.cxx:1019) > by 0x75248D91: VCLXAccessibleStatusBar::VCLXAccessibleStatusBar(VCLXWindow*) (/accessibility/source/standard/vclxaccessiblestatusbar.cxx:43) > by 0x75201C37: (anonymous namespace)::AccessibleFactory::createAccessibleContext(VCLXWindow*) (/accessibility/source/helper/acc_factory.cxx:312) > by 0xD27B191: VCLXWindow::CreateAccessibleContext() (/toolkit/source/awt/vclxwindow.cxx:862) > by 0xD2862AC: VCLXWindow::getAccessibleContext() (/toolkit/source/awt/vclxwindow.cxx:2375) > by 0xD2864AF: non-virtual thunk to VCLXWindow::getAccessibleContext() (/toolkit/source/awt/vclxwindow.cxx:0) > by 0x2A5CF0CD: AtkListener::handleChildRemoved(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&) (/vcl/unx/gtk3/a11y/../../gtk/a11y/atklistener.cxx:200) > by 0x2A5CF646: AtkListener::notifyEvent(com::sun::star::accessibility::AccessibleEventObject const&) (/vcl/unx/gtk3/a11y/../../gtk/a11y/atklistener.cxx:301) > by 0x77D6DB7: comphelper::AccessibleEventNotifier::addEvent(unsigned int, com::sun::star::accessibility::AccessibleEventObject const&) (/comphelper/source/misc/accessibleeventnotifier.cxx:277) > by 0x77D4219: comphelper::OAccessibleContextHelper::NotifyAccessibleEvent(short, com::sun::star::uno::Any const&, com::sun::star::uno::Any const&) (/comphelper/source/misc/accessiblecontexthelper.cxx:186) > by 0xD1FB887: VCLXAccessibleComponent::ProcessWindowEvent(VclWindowEvent const&) (/toolkit/source/awt/vclxaccessiblecomponent.cxx:210) > by 0xD1FAEC0: VCLXAccessibleComponent::WindowEventListener(VclWindowEvent&) (/toolkit/source/awt/vclxaccessiblecomponent.cxx:125) > by 0xD1F9C87: VCLXAccessibleComponent::LinkStubWindowEventListener(void*, VclWindowEvent&) (/toolkit/source/awt/vclxaccessiblecomponent.cxx:114) > by 0xE797CD7: Link<VclWindowEvent&, void>::Call(VclWindowEvent&) const (/include/tools/link.hxx:84) > by 0xE794189: vcl::Window::CallEventListeners(unsigned long, void*) (/vcl/source/window/event.cxx:240) > by 0xE8EDC9F: vcl::Window::dispose() (/vcl/source/window/window.cxx:172) > by 0xE875B9B: StatusBar::dispose() (/vcl/source/window/status.cxx:170) > by 0xEAD71EE: VclReferenceBase::disposeOnce() (/vcl/source/outdev/vclreferencebase.cxx:42) > by 0x3AA25A76: VclPtr<StatusBar>::disposeAndClear() (/include/vcl/vclptr.hxx:231) > by 0x3AC1CF0D: framework::StatusBarManager::dispose() (/framework/source/uielement/statusbarmanager.cxx:202) > by 0x3AC2936D: framework::StatusBarWrapper::dispose() (/framework/source/uielement/statusbarwrapper.cxx:75) > by 0x3AA4F246: framework::LayoutManager::implts_destroyStatusBar() (/framework/source/layoutmanager/layoutmanager.cxx:840) > by 0x3AA4EF68: framework::LayoutManager::implts_destroyElements() (/framework/source/layoutmanager/layoutmanager.cxx:443) > by 0x3AA4ED7E: framework::LayoutManager::implts_reset(bool) (/framework/source/layoutmanager/layoutmanager.cxx:412) > by 0x3AA5E683: framework::LayoutManager::frameAction(com::sun::star::frame::FrameActionEvent const&) (/framework/source/layoutmanager/layoutmanager.cxx:2814) > by 0x3AB0A30C: (anonymous namespace)::Frame::implts_sendFrameActionEvent(com::sun::star::frame::FrameAction const&) (/framework/source/services/frame.cxx:3110) > by 0x3AB0299D: (anonymous namespace)::Frame::setComponent(com::sun::star::uno::Reference<com::sun::star::awt::XWindow> const&, com::sun::star::uno::Reference<com::sun::star::frame::XController> const&) (/framework/source/services/frame.cxx:1557) > by 0x3AB055AB: (anonymous namespace)::Frame::close(unsigned char) (/framework/source/services/frame.cxx:1801) > by 0x3AAF1DC4: framework::Desktop::impl_closeFrames(bool) (/framework/source/services/desktop.cxx:1698) > by 0x3AAF132A: framework::Desktop::terminate() (/framework/source/services/desktop.cxx:230) > by 0x3A9D71CA: framework::CloseDispatcher::implts_terminateApplication() (/framework/source/dispatch/closedispatcher.cxx:562) > by 0x3A9D632C: framework::CloseDispatcher::impl_asyncCallback(LinkParamNone*) (/framework/source/dispatch/closedispatcher.cxx:410) > by 0x3A9D49D7: framework::CloseDispatcher::LinkStubimpl_asyncCallback(void*, LinkParamNone*) (/framework/source/dispatch/closedispatcher.cxx:254) > by 0xE9B4BE7: Link<LinkParamNone*, void>::Call(LinkParamNone*) const (/include/tools/link.hxx:84) > by 0xEE027A7: vcl::EventPoster::DoEvent_Impl(void*) (/vcl/source/helper/evntpost.cxx:52) > by 0xEE02767: vcl::EventPoster::LinkStubDoEvent_Impl(void*, void*) (/vcl/source/helper/evntpost.cxx:48) > by 0xE91FC17: Link<void*, void>::Call(void*) const (/include/tools/link.hxx:84) > by 0xE91CE8B: ImplHandleUserEvent(ImplSVEvent*) (/vcl/source/window/winproc.cxx:1957) > by 0xE91A33F: ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (/vcl/source/window/winproc.cxx:2507) > by 0xEFEA88D: SalFrame::CallCallback(SalEvent, void const*) const (/vcl/inc/salframe.hxx:276) > by 0xEFFF457: SalGenericDisplay::DispatchInternalEvent() (/vcl/unx/generic/app/gendisp.cxx:86) > Address 0x6ccc64b0 is 32 bytes inside a block of size 56 free'd > at 0x4C2D22A: operator delete(void*) (/builddir/build/BUILD/valgrind-3.11.0/coregrind/m_replacemalloc/vg_replace_malloc.c:576) > by 0xE875B47: StatusBar::dispose() (/vcl/source/window/status.cxx:165) It looks rather pointless that StatusBar::dispose causes instantiation of a VCLXAccessibleStatusBar, but not sure what would be the right level to fix this. So work around it by making the pointlessly pointer mpItemList non-pointer, and clearing it in StatusBar::dispose, so that a latter call to StatusBar::GetItemCount returns 0 (which appears to be OK for the needs of that zombie VCLXAccessibleStatusBar). Change-Id: I1e982a335cb78e87a6c16633174bca76b59c6049
author: Stephan Bergmann <sbergman@redhat.com> 2016-11-16 13:49:18 +0100
committer: Stephan Bergmann <sbergman@redhat.com> 2016-11-16 13:57:29 +0100
commit: f7dea2d29541256fb68436c0a4c76302832630d8 (patch)
tree: 22e39250748537ac69583789312b5ed62474c618 /include/vcl/status.hxx
parent: 5c49c13b7b963b8e05d68f6a050c8f8184b825fd (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/include/vcl/status.hxx b/include/vcl/status.hxx
index a270663ed362..518ba6ab4a62 100644
--- a/include/vcl/status.hxx
+++ b/include/vcl/status.hxx
@@ -27,8 +27,6 @@
 #include <vector>
 
 struct ImplStatusItem;
-typedef ::std::vector< ImplStatusItem* > ImplStatusItemList;
-
 
 void VCL_DLLPUBLIC DrawProgress(vcl::Window* pWindow, vcl::RenderContext& rRenderContext, const Point& rPos,
                                 long nOffset, long nPrgsWidth, long nPrgsHeight,
@@ -61,7 +59,7 @@ class VCL_DLLPUBLIC StatusBar : public vcl::Window
 {
     class   ImplData;
 private:
-    ImplStatusItemList* mpItemList;
+    std::vector<ImplStatusItem *> mpItemList;
     ImplData*           mpImplData;
     OUString            maPrgsTxt;
     Point               maPrgsTxtPos;
author	Stephan Bergmann <sbergman@redhat.com>	2016-11-16 13:49:18 +0100
committer	Stephan Bergmann <sbergman@redhat.com>	2016-11-16 13:57:29 +0100
commit	f7dea2d29541256fb68436c0a4c76302832630d8 (patch)
tree	22e39250748537ac69583789312b5ed62474c618 /include/vcl/status.hxx
parent	5c49c13b7b963b8e05d68f6a050c8f8184b825fd (diff)