diff options
| author | Justin Luth <justin_luth@sil.org> | 2022-02-02 11:00:07 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-02-04 21:40:10 +0100 |
| commit | 583185235389b55d6cfffac3067c0e1ccb2852b1 (patch) | |
| tree | 73c57a801e1447467ea8090bdafc92a381ff4cfc /sd | |
| parent | 5b0b004107f47ebfedd68d5916aa2176dad0d27b (diff) | |
related tdf#145868 sd: Clone SvxSearchItem to avoid use after free
I tested "if (mpSearchItem)" which passed, but then it
crashed when trying to access (*mpSearchItem) == (*pSearchItem)
because the mpSearchItem's DTOR had already been called
prior to the if(mpSearchItem).
Since mpSearchItem is never compared to another
memory pointer, it is safe to assign it to a Clone.
Steps to reproduce:
1.) open Impress and search for something
2.) change the search string to something else
3.) search again.
Note that there isn't currently any code that hits this.
I discovered it trying to craft a fix for bug 145868.
Change-Id: Idc5f5a3e812ed3e49631347c35c3f4b2d8bb4127
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129347
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Justin Luth <jluth@mail.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sd')
| -rw-r--r-- | sd/inc/Outliner.hxx | 2 | ||||
| -rw-r--r-- | sd/source/ui/view/Outliner.cxx | 3 |
2 files changed, 2 insertions, 3 deletions
diff --git a/sd/inc/Outliner.hxx b/sd/inc/Outliner.hxx index 772040f7a610..4a7100db3bb1 100644 --- a/sd/inc/Outliner.hxx +++ b/sd/inc/Outliner.hxx @@ -316,7 +316,7 @@ private: search. It is set every time the <member>SearchAndReplaceAll</member> method is called. */ - const SvxSearchItem* mpSearchItem; + std::unique_ptr<const SvxSearchItem> mpSearchItem; /// The actual object iterator. ::sd::outliner::Iterator maObjectIterator; diff --git a/sd/source/ui/view/Outliner.cxx b/sd/source/ui/view/Outliner.cxx index 0f77f2070219..23353ba87c82 100644 --- a/sd/source/ui/view/Outliner.cxx +++ b/sd/source/ui/view/Outliner.cxx @@ -154,7 +154,6 @@ SdOutliner::SdOutliner( SdDrawDocument* pDoc, OutlinerMode nMode ) meStartEditMode(EditMode::Page), mnStartPageIndex(sal_uInt16(-1)), mpStartEditedObject(nullptr), - mpSearchItem(nullptr), mbPrepareSpellingPending(true) { SetStyleSheetPool(static_cast<SfxStyleSheetPool*>( mpDrawDocument->GetStyleSheetPool() )); @@ -464,7 +463,7 @@ bool SdOutliner::StartSearchAndReplace (const SvxSearchItem* pSearchItem) if ( ! bAbort) { meMode = SEARCH; - mpSearchItem = pSearchItem; + mpSearchItem = std::unique_ptr<SvxSearchItem>(pSearchItem->Clone()); mbFoundObject = false; |