lo/core - LibreOffice 核心代码仓库

diff options

author	Stephan Bergmann <sbergman@redhat.com>	2020-01-07 18:06:09 +0100
committer	Stephan Bergmann <sbergman@redhat.com>	2020-01-07 20:28:35 +0100
commit	4d59436258702251a881a007ccc52ffd5a3eeb38 (patch)
tree	985e99a9b6288f19451a2a4e0a98fb15345a31ad /unoidl
parent	386248c9c2de669c211ba5a06afc8466f14c542b (diff)

Fix SfxPoolItem use-after-free

...as observed with -fsanitize=address in Draw, after drawing some rectangle (so that there is at least one marked object) doing "Format - Area... - Area - Bitmap": > ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004aca50 at pc 0x7f14d0ef5fe1 bp 0x7ffd966c6cb0 sp 0x7ffd966c6ca8 > READ of size 4 at 0x6030004aca50 thread T0 > #0 in CntUInt32Item::GetValue() const at include/svl/cintitem.hxx:163:42 > #1 in SvxBitmapTabPage::Reset(SfxItemSet const*) at cui/source/tabpages/tpbitmap.cxx:278:124 > #2 in SvxAreaTabPage::CreatePage(int, SfxTabPage*) at cui/source/tabpages/tparea.cxx:448:21 > #3 in SvxAreaTabPage::SelectFillType(weld::ToggleButton&, SfxItemSet const*) at cui/source/tabpages/tparea.cxx:381:9 > #4 in SvxAreaTabPage::SelectFillTypeHdl_Impl(weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:364:5 > #5 in SvxAreaTabPage::LinkStubSelectFillTypeHdl_Impl(void*, weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:358:1 > #6 in Link<weld::ToggleButton&, void>::Call(weld::ToggleButton&) const at include/tools/link.hxx:111:45 > #7 in weld::ToggleButton::signal_toggled() at include/vcl/weld.hxx:1130:42 [...] > 0x6030004aca50 is located 16 bytes inside of 24-byte region [0x6030004aca40,0x6030004aca58) > freed by thread T0 here: > #0 in operator delete(void*, unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3 > #1 in SfxUInt32Item::~SfxUInt32Item() at include/svl/intitem.hxx:113:21 > #2 in SfxItemPool::Remove(SfxPoolItem const&) at svl/source/items/itempool.cxx:710:13 > #3 in SfxItemSet::~SfxItemSet() at svl/source/items/itemset.cxx:252:42 > #4 in SvxBitmapTabPage::Reset(SfxItemSet const*) at cui/source/tabpages/tpbitmap.cxx:276:9 > #5 in SvxAreaTabPage::CreatePage(int, SfxTabPage*) at cui/source/tabpages/tparea.cxx:448:21 > #6 in SvxAreaTabPage::SelectFillType(weld::ToggleButton&, SfxItemSet const*) at cui/source/tabpages/tparea.cxx:381:9 > #7 in SvxAreaTabPage::SelectFillTypeHdl_Impl(weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:364:5 > #8 in SvxAreaTabPage::LinkStubSelectFillTypeHdl_Impl(void*, weld::ToggleButton&) at cui/source/tabpages/tparea.cxx:358:1 > #9 in Link<weld::ToggleButton&, void>::Call(weld::ToggleButton&) const at include/tools/link.hxx:111:45 This appears to be broken ever since d543d66a4ee34d3b0088f45951b56c150f7206ec "tdf#104615: there's no mpView when opening odc directly". Change-Id: Id0b3991f3e953ca5b10f466daab890383b0428ca Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86368 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>

Diffstat (limited to 'unoidl')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: