diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2021-01-15 13:46:12 +0100 |
|---|---|---|
| committer | Stephan Bergmann <sbergman@redhat.com> | 2021-01-15 18:54:23 +0100 |
| commit | 2e29dc20b96f2d96f5b64e9ed5efb79e342b3f54 (patch) | |
| tree | 5f65f614bf346503c307cbafa6589a35d9abb723 /sw/inc/calbck.hxx | |
| parent | 0e3e4b89d752221f795f793d0baf5610c31c6cd3 (diff) | |
Revert "Move SwFntCache link from SwModify down to SwFormat"
This reverts commit 8dd78873a9de028c0d9f1f1aee537e85f74d2300, as it caused
heap-use-after-free during CppunitTest_sw_uiwriter:
> ==864890==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000e6a89c at pc 0x7f92775c8dd9 bp 0x7ffeb01b18d0 sp 0x7ffeb01b18c8
> READ of size 2 at 0x604000e6a89c thread T0
> #0 in SfxPoolItem::Which() const at include/svl/poolitem.hxx:151:53
> #1 in SwAttrHandler::FontChg(SfxPoolItem const&, SwFont&, bool) at sw/source/core/text/atrstck.cxx:571:20
> #2 in SwAttrHandler::ActivateTop(SwFont&, unsigned short) at sw/source/core/text/atrstck.cxx:515:9
> #3 in SwAttrHandler::PopAndChg(SwTextAttr const&, SwFont&) at sw/source/core/text/atrstck.cxx:450:17
> #4 in SwAttrIter::Rst(SwTextAttr const*) at sw/source/core/text/itratr.cxx:113:24
> #5 in SwAttrIter::SeekFwd(int, int) at sw/source/core/text/itratr.cxx:275:52
> #6 in SwAttrIter::Seek(o3tl::strong_int<int, Tag_TextFrameIndex>) at sw/source/core/text/itratr.cxx:418:13
> #7 in SwAttrIter::SeekAndChgAttrIter(o3tl::strong_int<int, Tag_TextFrameIndex>, OutputDevice*) at sw/source/core/text/itratr.cxx:158:11
> #8 in SwTextIter::SeekAndChg(SwTextSizeInfo&) at sw/source/core/text/itrtxt.hxx:312:12
> #9 in SwTextFormatter::CalcAscent(SwTextFormatInfo&, SwLinePortion*) at sw/source/core/text/itrform2.cxx:815:24
> #10 in SwTextFormatter::NewPortion(SwTextFormatInfo&) at sw/source/core/text/itrform2.cxx:1537:9
> #11 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) at sw/source/core/text/itrform2.cxx:707:16
[...]
> 0x604000e6a89c is located 12 bytes inside of 48-byte region [0x604000e6a890,0x604000e6a8c0)
> freed by thread T0 here:
> #0 in operator delete(void*, unsigned long) at ~/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3
> #1 in SvxFontItem::~SvxFontItem() at include/editeng/fontitem.hxx:29:25
> #2 in SfxItemPool::SetPoolDefaultItem(SfxPoolItem const&) at svl/source/items/itempool.cxx:543:13
> #3 in SwDoc::SetDefault(SfxItemSet const&) at sw/source/core/doc/docfmt.cxx:550:23
> #4 in SwDoc::SetDefault(SfxPoolItem const&) at sw/source/core/doc/docfmt.cxx:531:5
> #5 in SwXTextDefaults::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&) at sw/source/core/unocore/SwXTextDefaults.cxx:118:17
> #6 in writerfilter::dmapper::DomainMapper::DomainMapper(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, com::sun::star::uno::Reference<com::sun::star::io::XInputStream> const&, com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, bool, writerfilter::dmapper::SourceDocumentType, utl::MediaDescriptor const&) at writerfilter/source/dmapper/DomainMapper.cxx:161:24
> #7 in writerfilter::dmapper::DomainMapperFactory::createMapper(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, com::sun::star::uno::Reference<com::sun::star::io::XInputStream> const&, com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, bool, writerfilter::dmapper::SourceDocumentType, utl::MediaDescriptor const&) at writerfilter/source/dmapper/domainmapperfactory.cxx:33:34
> #8 in (anonymous namespace)::WriterFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at writerfilter/source/filter/WriterFilter.cxx:185:13
> #9 in SwDOCXReader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) at sw/source/filter/docx/swdocxreader.cxx:86:18
> #10 in SwReader::Read(Reader const&) at sw/source/filter/basflt/shellio.cxx:191:22
> #11 in SwView::InsertMedium(unsigned short, std::unique_ptr<SfxMedium, std::default_delete<SfxMedium> >, short) at sw/source/uibase/uiview/view2.cxx:2309:40
[...]
> previously allocated by thread T0 here:
> #0 in operator new(unsigned long) at ~/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
> #1 in SvxFontItem::Clone(SfxItemPool*) const at editeng/source/items/textitem.cxx:297:12
> #2 in SfxItemPool::SetPoolDefaultItem(SfxPoolItem const&) at svl/source/items/itempool.cxx:538:42
> #3 in SwDoc::SetDefault(SfxItemSet const&) at sw/source/core/doc/docfmt.cxx:550:23
> #4 in SwDoc::SetDefault(SfxPoolItem const&) at sw/source/core/doc/docfmt.cxx:531:5
> #5 in SwXTextDefaults::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&) at sw/source/core/unocore/SwXTextDefaults.cxx:118:17
> #6 in SvXMLImportPropertyMapper::FillPropertySet_(std::__debug::vector<XMLPropertyState, std::allocator<XMLPropertyState> > const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySetInfo> const&, rtl::Reference<XMLPropertySetMapper> const&, SvXMLImport&, ContextID_Index_Pair*) at xmloff/source/style/xmlimppr.cxx:509:27
> #7 in SvXMLImportPropertyMapper::FillPropertySet(std::__debug::vector<XMLPropertyState, std::allocator<XMLPropertyState> > const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&, ContextID_Index_Pair*) const at xmloff/source/style/xmlimppr.cxx:466:20
> #8 in XMLTextStyleContext::FillPropertySet(com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> const&) at xmloff/source/text/txtstyli.cxx:456:20
> #9 in XMLTextStyleContext::SetDefaults() at xmloff/source/text/txtstyli.cxx:234:17
> #10 in SvXMLStylesContext::CopyStylesToDoc(bool, bool) at xmloff/source/style/xmlstyle.cxx:752:37
> #11 in SwXMLImport::InsertStyles(bool) at sw/source/filter/xml/xmlfmt.cxx:999:22
[...]
Change-Id: I4df8db29054da3eb543e5524fec6cb79e8568b66
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109363
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Diffstat (limited to 'sw/inc/calbck.hxx')
| -rw-r--r-- | sw/inc/calbck.hxx | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sw/inc/calbck.hxx b/sw/inc/calbck.hxx index b5b6ff9a3e30..31df9791291b 100644 --- a/sw/inc/calbck.hxx +++ b/sw/inc/calbck.hxx @@ -178,6 +178,7 @@ class SW_DLLPUBLIC SwModify: public SwClient sw::WriterListener* m_pWriterListeners; // the start of the linked list of clients bool m_bModifyLocked : 1; // don't broadcast changes now bool m_bInCache : 1; + bool m_bInSwFntCache : 1; SwModify(SwModify const &) = delete; SwModify &operator =(const SwModify&) = delete; @@ -185,7 +186,7 @@ protected: virtual void SwClientNotify(const SwModify&, const SfxHint& rHint) override; public: SwModify() - : SwClient(), m_pWriterListeners(nullptr), m_bModifyLocked(false), m_bInCache(false) + : SwClient(), m_pWriterListeners(nullptr), m_bModifyLocked(false), m_bInCache(false), m_bInSwFntCache(false) {} // broadcasting mechanism @@ -203,9 +204,11 @@ public: void LockModify() { m_bModifyLocked = true; } void UnlockModify() { m_bModifyLocked = false; } void SetInCache( bool bNew ) { m_bInCache = bNew; } + void SetInSwFntCache( bool bNew ) { m_bInSwFntCache = bNew; } void SetInDocDTOR(); bool IsModifyLocked() const { return m_bModifyLocked; } bool IsInCache() const { return m_bInCache; } + bool IsInSwFntCache() const { return m_bInSwFntCache; } void CheckCaching( const sal_uInt16 nWhich ); bool HasOnlyOneListener() const { return m_pWriterListeners && m_pWriterListeners->IsLast(); } |