svx: fix double-free if SvxShape of SwDrawVirtObj is disposed

First SvxShape::dispose() deletes it, then ~SwDrawFrameFormat() via
~SwDrawContact() calls SwDrawContact::RemoveAllVirtObjs() and deletes it
again.

Back in 2009, CWS dba32 (60698c8a619f219129dbeac7da1f962f3fa63f6a)
added this OSL_ENSURE, let's actually try to fix this now.

Change-Id: I5c391aa425aa75fb87cecccbf9e41c9f90196f9f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134609
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Tested-by: Jenkins
(cherry picked from commit 5eb25f6a7ecb215f7bc81116cd930c1dec645e8d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134621
Reviewed-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 4 insertions, 5 deletions

diff --git a/svx/source/unodraw/unoshape.cxx b/svx/source/unodraw/unoshape.cxx
index 98a104c49fc8..ee3e58dd0190 100644
--- a/svx/source/unodraw/unoshape.cxx
+++ b/svx/source/unodraw/unoshape.cxx
@@ -1286,10 +1286,6 @@ void SAL_CALL SvxShape::dispose()
 
     if ( pObject->IsInserted() && pObject->getSdrPageFromSdrObject() )
     {
-        OSL_ENSURE( HasSdrObjectOwnership(), "SvxShape::dispose: is the below code correct?" );
-            // normally, we are allowed to free the SdrObject only if we have its ownership.
-            // Why isn't this checked here?
-
         SdrPage* pPage = pObject->getSdrPageFromSdrObject();
         // delete the SdrObject from the page
         const size_t nCount = pPage->GetObjCount();
@@ -1298,7 +1294,10 @@ void SAL_CALL SvxShape::dispose()
             if ( pPage->GetObj( nNum ) == pObject )
             {
                 OSL_VERIFY( pPage->RemoveObject( nNum ) == pObject );
-                bFreeSdrObject = true;
+                if (HasSdrObjectOwnership())
+                {
+                    bFreeSdrObject = true;
+                }
                 break;
             }
         }