summaryrefslogtreecommitdiff
path: root/svl
diff options
context:
space:
mode:
authorPatrick Luby <guibmacdev@gmail.com>2024-07-18 21:38:01 -0400
committerPatrick Luby <guibomacdev@gmail.com>2024-07-20 13:01:36 +0200
commit926ed71244c20d5a96d0f20b7c4edfb9e645a667 (patch)
treeb4154bd68fdf3890ed04f48a905c918da8479dec /svl
parent6c0db491f000c55e6bf6061d33ba2312b0ec303f (diff)
tdf#161729 clear style sheets in same order as they were added
std::vector::clear() appears to delete elements in the reverse order added. In the case of tdf#161729, a style sheet's SfxItemSet can have a parent SfxItemSet and that parent is the SfxItemSet for a style sheet added later. Deleting from the end of the vector deletes a style sheet and its SfxItemSet. If the now deleted SfxItemSet is a parent SfxItemSet of a style sheet that was added earlier, the style sheet added earlier will now have an SfxItemSet with its parent set to an already deleted pointer. And so a crash will occur when that earlier style sheet is deleted. rxStyleSheet.clear(); Change-Id: I8ce7023fce8b01432cb3c9288a8f83e7a2f0f2d8 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/170707 Tested-by: Jenkins Reviewed-by: Patrick Luby <guibomacdev@gmail.com> Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Diffstat (limited to 'svl')
-rw-r--r--svl/source/items/IndexedStyleSheets.cxx15
1 files changed, 14 insertions, 1 deletions
diff --git a/svl/source/items/IndexedStyleSheets.cxx b/svl/source/items/IndexedStyleSheets.cxx
index 0db2f201f35f..5d2ddf8299f9 100644
--- a/svl/source/items/IndexedStyleSheets.cxx
+++ b/svl/source/items/IndexedStyleSheets.cxx
@@ -183,8 +183,21 @@ sal_Int32 IndexedStyleSheets::FindStyleSheetPosition(const SfxStyleSheetBase& st
void
IndexedStyleSheets::Clear(StyleSheetDisposer& disposer)
{
- for (const auto& rxStyleSheet : mStyleSheets) {
+ for (auto& rxStyleSheet : mStyleSheets) {
disposer.Dispose(rxStyleSheet);
+
+ // tdf#161729 clear style sheets in same order as they were added
+ // std::vector::clear() appears to delete elements in the
+ // reverse order added. In the case of tdf#161729, a style
+ // sheet's SfxItemSet can have a parent SfxItemSet and that
+ // parent is the SfxItemSet for a style sheet added later.
+ // Deleting from the end of the vector deletes a style sheet
+ // and its SfxItemSet. If the now deleted SfxItemSet is a
+ // parent SfxItemSet of a style sheet that was added earlier,
+ // the style sheet added earlier will now have an SfxItemSet
+ // with its parent set to an already deleted pointer. And so
+ // a crash will occur when that earlier style sheet is deleted.
+ rxStyleSheet.clear();
}
mStyleSheets.clear();
mPositionsByName.clear();