diff options
author | Patrick Luby <guibmacdev@gmail.com> | 2024-07-18 21:38:01 -0400 |
---|---|---|
committer | Patrick Luby <guibomacdev@gmail.com> | 2024-07-20 13:01:36 +0200 |
commit | 926ed71244c20d5a96d0f20b7c4edfb9e645a667 (patch) | |
tree | b4154bd68fdf3890ed04f48a905c918da8479dec /svl | |
parent | 6c0db491f000c55e6bf6061d33ba2312b0ec303f (diff) |
tdf#161729 clear style sheets in same order as they were added
std::vector::clear() appears to delete elements in the
reverse order added. In the case of tdf#161729, a style
sheet's SfxItemSet can have a parent SfxItemSet and that
parent is the SfxItemSet for a style sheet added later.
Deleting from the end of the vector deletes a style sheet
and its SfxItemSet. If the now deleted SfxItemSet is a
parent SfxItemSet of a style sheet that was added earlier,
the style sheet added earlier will now have an SfxItemSet
with its parent set to an already deleted pointer. And so
a crash will occur when that earlier style sheet is deleted.
rxStyleSheet.clear();
Change-Id: I8ce7023fce8b01432cb3c9288a8f83e7a2f0f2d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/170707
Tested-by: Jenkins
Reviewed-by: Patrick Luby <guibomacdev@gmail.com>
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Diffstat (limited to 'svl')
-rw-r--r-- | svl/source/items/IndexedStyleSheets.cxx | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/svl/source/items/IndexedStyleSheets.cxx b/svl/source/items/IndexedStyleSheets.cxx index 0db2f201f35f..5d2ddf8299f9 100644 --- a/svl/source/items/IndexedStyleSheets.cxx +++ b/svl/source/items/IndexedStyleSheets.cxx @@ -183,8 +183,21 @@ sal_Int32 IndexedStyleSheets::FindStyleSheetPosition(const SfxStyleSheetBase& st void IndexedStyleSheets::Clear(StyleSheetDisposer& disposer) { - for (const auto& rxStyleSheet : mStyleSheets) { + for (auto& rxStyleSheet : mStyleSheets) { disposer.Dispose(rxStyleSheet); + + // tdf#161729 clear style sheets in same order as they were added + // std::vector::clear() appears to delete elements in the + // reverse order added. In the case of tdf#161729, a style + // sheet's SfxItemSet can have a parent SfxItemSet and that + // parent is the SfxItemSet for a style sheet added later. + // Deleting from the end of the vector deletes a style sheet + // and its SfxItemSet. If the now deleted SfxItemSet is a + // parent SfxItemSet of a style sheet that was added earlier, + // the style sheet added earlier will now have an SfxItemSet + // with its parent set to an already deleted pointer. And so + // a crash will occur when that earlier style sheet is deleted. + rxStyleSheet.clear(); } mStyleSheets.clear(); mPositionsByName.clear(); |