diff options
| author | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-01-15 22:29:31 +0100 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-01-16 13:36:02 +0100 |
| commit | ecd855794b22c0f7e6fb2f362b566c4d9c5f624a (patch) | |
| tree | 5f83a902cb9efefc5288aed727beee6538e0d1a7 /sw/qa/extras | |
| parent | 624f84c07ee798f6bbf4381c26262d5d2774a1ed (diff) | |
tdf#114536 sw: fix use-after-free in SwTextFormatter::MergeCharacterBorder()
SwTextFormatter::Underflow() truncated a line portion, which deletes the
rest of the line portions, but left m_pFirstOfBorderMerge unchanged,
leading to a crash when SwTextFormatter::MergeCharacterBorder() tried to
access it.
Fix the problem by updating the non-owning m_pFirstOfBorderMerge
accordingly when truncating the line portion.
Change-Id: I5e445bbe2424d70d60c363fa4e3a00636e282325
Reviewed-on: https://gerrit.libreoffice.org/47923
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Diffstat (limited to 'sw/qa/extras')
| -rw-r--r-- | sw/qa/extras/uiwriter/data/tdf114536.odt | bin | 0 -> 13623 bytes | |||
| -rw-r--r-- | sw/qa/extras/uiwriter/uiwriter.cxx | 9 |
2 files changed, 9 insertions, 0 deletions
diff --git a/sw/qa/extras/uiwriter/data/tdf114536.odt b/sw/qa/extras/uiwriter/data/tdf114536.odt Binary files differnew file mode 100644 index 000000000000..4ad9c7f1f494 --- /dev/null +++ b/sw/qa/extras/uiwriter/data/tdf114536.odt diff --git a/sw/qa/extras/uiwriter/uiwriter.cxx b/sw/qa/extras/uiwriter/uiwriter.cxx index 9f4597486f3e..1e8d7431bc52 100644 --- a/sw/qa/extras/uiwriter/uiwriter.cxx +++ b/sw/qa/extras/uiwriter/uiwriter.cxx @@ -296,6 +296,7 @@ public: void testTdf114306(); void testTdf113481(); void testTdf115013(); + void testTdf114536(); CPPUNIT_TEST_SUITE(SwUiWriterTest); CPPUNIT_TEST(testReplaceForward); @@ -471,6 +472,7 @@ public: CPPUNIT_TEST(testTdf114306); CPPUNIT_TEST(testTdf113481); CPPUNIT_TEST(testTdf115013); + CPPUNIT_TEST(testTdf114536); CPPUNIT_TEST_SUITE_END(); private: @@ -5546,6 +5548,13 @@ void SwUiWriterTest::testSectionInTableInTable() createDoc("tdf112109.fodt"); } +void SwUiWriterTest::testTdf114536() +{ + // This crashed in SwTextFormatter::MergeCharacterBorder() due to a + // use after free. + createDoc("tdf114536.odt"); +} + void SwUiWriterTest::testSectionInTableInTable2() { createDoc("split-section-in-nested-table.fodt"); |