diff options
| author | Justin Luth <justin_luth@sil.org> | 2022-02-02 11:00:07 +0200 |
|---|---|---|
| committer | Xisco Fauli <xiscofauli@libreoffice.org> | 2022-02-08 09:32:43 +0100 |
| commit | dc3f27c910f455fce7a3afe3115ba51effd5e63f (patch) | |
| tree | afcadc2f2a8dbf2db637e53d8ac09e006ebdb673 /sd | |
| parent | 522160397ad5b4cb802fcef0b10294e84a612723 (diff) | |
related tdf#145868 sd: Clone SvxSearchItem to avoid use after free
I tested "if (mpSearchItem)" which passed, but then it
crashed when trying to access (*mpSearchItem) == (*pSearchItem)
because the mpSearchItem's DTOR had already been called
prior to the if(mpSearchItem).
Since mpSearchItem is never compared to another
memory pointer, it is safe to assign it to a Clone.
Steps to reproduce:
1.) open Impress and search for something
2.) change the search string to something else
3.) search again.
Note that there isn't currently any code that hits this.
I discovered it trying to craft a fix for bug 145868.
Change-Id: Idc5f5a3e812ed3e49631347c35c3f4b2d8bb4127
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129347
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Justin Luth <jluth@mail.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129629
Diffstat (limited to 'sd')
| -rw-r--r-- | sd/inc/Outliner.hxx | 2 | ||||
| -rw-r--r-- | sd/source/ui/view/Outliner.cxx | 3 |
2 files changed, 2 insertions, 3 deletions
diff --git a/sd/inc/Outliner.hxx b/sd/inc/Outliner.hxx index 772040f7a610..4a7100db3bb1 100644 --- a/sd/inc/Outliner.hxx +++ b/sd/inc/Outliner.hxx @@ -316,7 +316,7 @@ private: search. It is set every time the <member>SearchAndReplaceAll</member> method is called. */ - const SvxSearchItem* mpSearchItem; + std::unique_ptr<const SvxSearchItem> mpSearchItem; /// The actual object iterator. ::sd::outliner::Iterator maObjectIterator; diff --git a/sd/source/ui/view/Outliner.cxx b/sd/source/ui/view/Outliner.cxx index 0f77f2070219..23353ba87c82 100644 --- a/sd/source/ui/view/Outliner.cxx +++ b/sd/source/ui/view/Outliner.cxx @@ -154,7 +154,6 @@ SdOutliner::SdOutliner( SdDrawDocument* pDoc, OutlinerMode nMode ) meStartEditMode(EditMode::Page), mnStartPageIndex(sal_uInt16(-1)), mpStartEditedObject(nullptr), - mpSearchItem(nullptr), mbPrepareSpellingPending(true) { SetStyleSheetPool(static_cast<SfxStyleSheetPool*>( mpDrawDocument->GetStyleSheetPool() )); @@ -464,7 +463,7 @@ bool SdOutliner::StartSearchAndReplace (const SvxSearchItem* pSearchItem) if ( ! bAbort) { meMode = SEARCH; - mpSearchItem = pSearchItem; + mpSearchItem = std::unique_ptr<SvxSearchItem>(pSearchItem->Clone()); mbFoundObject = false; |