sw: fix use-after-free in SwFrame::ImplFindPageFrame()

Header-footer controls have a non-owning pointer to their page frames in
Writer views, so whenever a page frame gets deleted, we need to manually
make sure that the header-footer control doesn't have a pointer to the
deleted page frame.

This already works with a single view, but in case one view has a
visible header-footer control and an other view deletes the page frame
that is known to the header-footer control, then we have a problem.

Fix the problematic outdated SwFrameMenuButtonBase::m_pFrame by
extending SwPageFrame::DestroyImpl(), so it un-registers itself (before
deletion) not only from the current view, but from all views.

Found by online.git's:

tst=/tmp/testfoo.odt
cp test/data/hello-world.odt $tst
./coolstress wss://localhost:9980 $tst test/traces/writer-hello-shape.txt $tst test/traces/writer-document-edit.txt $tst test/traces/writer-mash-text-table.txt $tst test/traces/writer-rambling-text-table.txt $tst test/traces/writer-add-bullet.txt

although also reproducible on the
desktop, in case you have two views (windows), do cltr-enter to have 2
pages, go to the 2nd page in both views, view 1 clicks on the 2nd page's
header, view 2 deletes the page (backspace) and finally view 1 clicks in
the body text of the current page.

Change-Id: I35e5d82256ab5db8e5f0ba198f5d2638cbff7d3c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/135573
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins

0 files changed, 0 insertions, 0 deletions