lo/core - LibreOffice 核心代码仓库

diff options

author	Tomaž Vajngerl <tomaz.vajngerl@collabora.co.uk>	2021-06-09 14:58:28 +0900
committer	Tomaž Vajngerl <quikee@gmail.com>	2021-06-10 02:36:22 +0200
commit	36db408b9027da01464927e5853950435596ae05 (patch)
tree	420133c8cef92ea4eb81b78bcceb10566630e3c0 /sot
parent	aa9cb8e14749e7fb7a83b55a2bb095501f731a18 (diff)

sd: ubsan - fix heap-use-after-free in SdOutliner

OutlinerView can change (old one deleted and new one create) so we can't store it in a local vairable and need to always fetch it. UBSAN Error log: ==21484==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000af7d28 at pc 0x2ab7c5979405 bp 0x7ffcd1a3d1a0 sp 0x7ffcd1a3d198 READ of size 8 at 0x606000af7d28 thread T0 -0 0x2ab7c5979404 in std::__uniq_ptr_impl<EditView, std::default_delete<EditView> >::_M_ptr() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:147:42 -1 0x2ab7c59792ea in std::unique_ptr<EditView, std::default_delete<EditView> >::get() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:337:21 -2 0x2ab7c59791d9 in std::unique_ptr<EditView, std::default_delete<EditView> >::operator*() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:322:2 -3 0x2ab7c59725da in OutlinerView::GetEditView() const /include/editeng/outliner.hxx:209:46 -4 0x2ab7c70e36bb in SdOutliner::SearchAndReplaceOnce(std::__debug::vector<sd::SearchSelection, std::allocator<sd::SearchSelection> >*) /sd/source/ui/view/Outliner.cxx:903:21 -5 0x2ab7c70dcb32 in SdOutliner::SearchAndReplaceAll() /sd/source/ui/view/Outliner.cxx:622:29 -6 0x2ab7c70da81b in SdOutliner::StartSearchAndReplace(SvxSearchItem const*) /sd/source/ui/view/Outliner.cxx:478:28 -7 0x2ab7c61e4fc5 in sd::FuSearch::SearchAndReplace(SvxSearchItem const*) /sd/source/ui/func/fusearch.cxx:128:44 -8 0x2ab7c5c61fc5 in sd::DrawDocShell::Execute(SfxRequest&) /sd/source/ui/docshell/docshel3.cxx:228:36 -9 0x2ab7c5cac074 in SfxStubDrawDocShellExecute(SfxShell*, SfxRequest&) /workdir/SdiTarget/sd/sdi/sdslots.hxx:18384:1 -10 0x2ab7cd885d8f in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:9 -11 0x2ab7cd89bd8f in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9 -12 0x2ab7cd89ccd6 in SfxDispatcher::Execute(unsigned short, SfxCallMode, SfxItemSet const*, SfxItemSet const*, unsigned short) /sfx2/source/control/dispatch.cxx:811:9 -13 0x2ab7cdd11d76 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /sfx2/source/control/unoctitm.cxx:738:46 -14 0x2ab7cdd15135 in SfxOfficeDispatch::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /sfx2/source/control/unoctitm.cxx:243:16 -15 0x2ab7f54b25d7 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatch> const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /framework/source/services/dispatchhelper.cxx:159:30 -16 0x2ab7f54b1531 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatchProvider> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /framework/source/services/dispatchhelper.cxx:117:16 -17 0x2ab7f54b2d17 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatchProvider> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /framework/source/services/dispatchhelper.cxx -18 0x2ab7e63c546f in unotest::MacrosTest::dispatchCommand(com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /unotest/source/cpp/macros_test.cxx:85:22 -19 0x2ab7b1a9ac2d in testSearchAllInDocumentAndNotes::TestBody() /sd/qa/unit/uiimpress.cxx:715:5 -20 0x2ab7b1b43f84 in void std::__invoke_impl<void, void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&>(std::__invoke_memfun_deref, void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:73:14 -21 0x2ab7b1b43b5e in std::__invoke_result<void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&>::type std::__invoke<void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&>(void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:95:14 -22 0x2ab7b1b439b2 in void std::_Bind<void (testSearchAllInDocumentAndNotes::* (testSearchAllInDocumentAndNotes*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:467:11 -23 0x2ab7b1b43612 in void std::_Bind<void (testSearchAllInDocumentAndNotes::* (testSearchAllInDocumentAndNotes*))()>::operator()<void>() /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:549:17 -24 0x2ab7b1b426a1 in std::_Function_handler<void (), std::_Bind<void (testSearchAllInDocumentAndNotes::* (testSearchAllInDocumentAndNotes*))()> >::_M_invoke(std::_Any_data const&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:316:2 -25 0x2ab7b1aec1f1 in std::function<void ()>::operator()() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:706:14 -26 0x2ab7b1b41984 in CppUnit::TestCaller<testSearchAllInDocumentAndNotes>::runTest() /workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7 -27 0x2ab765f655ba in CppUnit::TestCaseMethodFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5 -28 0x2ab780dd0937 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /test/source/vclbootstrapprotector.cxx:46:14 -29 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 -30 0x2ab775453fd7 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:78:12 -31 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 -32 0x2ab771f47962 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:62:16 -33 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 -34 0x2ab765ecdf84 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12 -35 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 -36 0x2ab765f30697 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18 -37 0x2ab765fcfa79 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28 -38 0x2ab765f63c21 in CppUnit::TestCase::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:91:13 -39 0x2ab765f67a52 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 -40 0x2ab765f66c4a in CppUnit::TestComposite::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 -41 0x2ab765f67a52 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 -42 0x2ab765f66c4a in CppUnit::TestComposite::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 -43 0x2ab765ffd60e in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27 -44 0x2ab765fce4de in CppUnit::TestResult::runTest(CppUnit::Test*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9 -45 0x2ab765ffe56b in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14 -46 0x4ff42e in (anonymous namespace)::ProtectedFixtureFunctor::run() const /sal/cppunittester/cppunittester.cxx:324:20 -47 0x4fb90c in sal_main() /sal/cppunittester/cppunittester.cxx:474:20 -48 0x4fa40e in main /sal/cppunittester/cppunittester.cxx:381:1 -49 0x2ab767c44554 in __libc_start_main (/lib64/libc.so.6+0x22554) -50 0x425e04 in _start (/workdir/LinkTarget/Executable/cppunittester+0x425e04) 0x606000af7d28 is located 8 bytes inside of 56-byte region [0x606000af7d20,0x606000af7d58) freed by thread T0 here: -0 0x4f75f0 in operator delete(void*) /home/tdf/lode/packages/llvm-llvmorg-9.0.1.src/compiler-rt/lib/asan/asan_new_delete.cc:160 -1 0x2ab7c70c42b1 in SdOutliner::Implementation::ProvideOutlinerView(Outliner&, std::shared_ptr<sd::ViewShell> const&, vcl::Window*) /sd/source/ui/view/Outliner.cxx:1988:17 -2 0x2ab7c70c1302 in SdOutliner::SetViewShell(std::shared_ptr<sd::ViewShell> const&) /sd/source/ui/view/Outliner.cxx:1743:17 -3 0x2ab7c70ed9f4 in SdOutliner::SetViewMode(PageKind) /sd/source/ui/view/Outliner.cxx:1571:5 -4 0x2ab7c70f309e in SdOutliner::SetObject(sd::outliner::IteratorPosition const&) /sd/source/ui/view/Outliner.cxx:1720:5 -5 0x2ab7c70f3db6 in SdOutliner::PrepareSearchAndReplace() /sd/source/ui/view/Outliner.cxx:1507:13 -6 0x2ab7c70d4b3f in SdOutliner::ProvideNextTextObject() /sd/source/ui/view/Outliner.cxx:1302:33 -7 0x2ab7c70e30f0 in SdOutliner::SearchAndReplaceOnce(std::__debug::vector<sd::SearchSelection, std::allocator<sd::SearchSelection> >*) /sd/source/ui/view/Outliner.cxx:892:17 -8 0x2ab7c70dcb32 in SdOutliner::SearchAndReplaceAll() /sd/source/ui/view/Outliner.cxx:622:29 -9 0x2ab7c70da81b in SdOutliner::StartSearchAndReplace(SvxSearchItem const*) /sd/source/ui/view/Outliner.cxx:478:28 -10 0x2ab7c61e4fc5 in sd::FuSearch::SearchAndReplace(SvxSearchItem const*) /sd/source/ui/func/fusearch.cxx:128:44 -11 0x2ab7c5c61fc5 in sd::DrawDocShell::Execute(SfxRequest&) /sd/source/ui/docshell/docshel3.cxx:228:36 -12 0x2ab7c5cac074 in SfxStubDrawDocShellExecute(SfxShell*, SfxRequest&) /workdir/SdiTarget/sd/sdi/sdslots.hxx:18384:1 -13 0x2ab7cd885d8f in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:9 -14 0x2ab7cd89bd8f in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9 -15 0x2ab7cd89ccd6 in SfxDispatcher::Execute(unsigned short, SfxCallMode, SfxItemSet const*, SfxItemSet const*, unsigned short) /sfx2/source/control/dispatch.cxx:811:9 -16 0x2ab7cdd11d76 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /sfx2/source/control/unoctitm.cxx:738:46 -17 0x2ab7cdd15135 in SfxOfficeDispatch::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) /sfx2/source/control/unoctitm.cxx:243:16 -18 0x2ab7f54b25d7 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatch> const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /framework/source/services/dispatchhelper.cxx:159:30 -19 0x2ab7f54b1531 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatchProvider> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /framework/source/services/dispatchhelper.cxx:117:16 -20 0x2ab7f54b2d17 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatchProvider> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /framework/source/services/dispatchhelper.cxx -21 0x2ab7e63c546f in unotest::MacrosTest::dispatchCommand(com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) /unotest/source/cpp/macros_test.cxx:85:22 -22 0x2ab7b1a9ac2d in testSearchAllInDocumentAndNotes::TestBody() /sd/qa/unit/uiimpress.cxx:715:5 -23 0x2ab7b1b43f84 in void std::__invoke_impl<void, void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&>(std::__invoke_memfun_deref, void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:73:14 -24 0x2ab7b1b43b5e in std::__invoke_result<void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&>::type std::__invoke<void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&>(void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:95:14 -25 0x2ab7b1b439b2 in void std::_Bind<void (testSearchAllInDocumentAndNotes::* (testSearchAllInDocumentAndNotes*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:467:11 -26 0x2ab7b1b43612 in void std::_Bind<void (testSearchAllInDocumentAndNotes::* (testSearchAllInDocumentAndNotes*))()>::operator()<void>() /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:549:17 -27 0x2ab7b1b426a1 in std::_Function_handler<void (), std::_Bind<void (testSearchAllInDocumentAndNotes::* (testSearchAllInDocumentAndNotes*))()> >::_M_invoke(std::_Any_data const&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:316:2 -28 0x2ab7b1aec1f1 in std::function<void ()>::operator()() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:706:14 -29 0x2ab7b1b41984 in CppUnit::TestCaller<testSearchAllInDocumentAndNotes>::runTest() /workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7 Change-Id: I0b4616cd3813565bc58b7a84320cbf52dd654a3a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/116879 Tested-by: Jenkins Reviewed-by: Tomaž Vajngerl <quikee@gmail.com>

Diffstat (limited to 'sot')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: