From f7dea2d29541256fb68436c0a4c76302832630d8 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Wed, 16 Nov 2016 13:49:18 +0100
Subject: Avoid use after free from within StatusBar::dispose

Valgrind reveals that in Writer doing "Table - Insert Table... - Insert" (so the
table-related toolbar appears at the bottom of the document window), then "File
- Exit LibreOffice - Don't Save" causes

> Invalid read of size 8
>    at 0xE87CA6C: std::__cxx1998::vector<ImplStatusItem*, std::allocator<ImplStatusItem*> >::size() const (/usr/lib/gcc/x86_64-redhat-linux/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:656)
>    by 0xE87B09F: StatusBar::GetItemCount() const (/vcl/source/window/status.cxx:1019)
>    by 0x75248D91: VCLXAccessibleStatusBar::VCLXAccessibleStatusBar(VCLXWindow*) (/accessibility/source/standard/vclxaccessiblestatusbar.cxx:43)
>    by 0x75201C37: (anonymous namespace)::AccessibleFactory::createAccessibleContext(VCLXWindow*) (/accessibility/source/helper/acc_factory.cxx:312)
>    by 0xD27B191: VCLXWindow::CreateAccessibleContext() (/toolkit/source/awt/vclxwindow.cxx:862)
>    by 0xD2862AC: VCLXWindow::getAccessibleContext() (/toolkit/source/awt/vclxwindow.cxx:2375)
>    by 0xD2864AF: non-virtual thunk to VCLXWindow::getAccessibleContext() (/toolkit/source/awt/vclxwindow.cxx:0)
>    by 0x2A5CF0CD: AtkListener::handleChildRemoved(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&) (/vcl/unx/gtk3/a11y/../../gtk/a11y/atklistener.cxx:200)
>    by 0x2A5CF646: AtkListener::notifyEvent(com::sun::star::accessibility::AccessibleEventObject const&) (/vcl/unx/gtk3/a11y/../../gtk/a11y/atklistener.cxx:301)
>    by 0x77D6DB7: comphelper::AccessibleEventNotifier::addEvent(unsigned int, com::sun::star::accessibility::AccessibleEventObject const&) (/comphelper/source/misc/accessibleeventnotifier.cxx:277)
>    by 0x77D4219: comphelper::OAccessibleContextHelper::NotifyAccessibleEvent(short, com::sun::star::uno::Any const&, com::sun::star::uno::Any const&) (/comphelper/source/misc/accessiblecontexthelper.cxx:186)
>    by 0xD1FB887: VCLXAccessibleComponent::ProcessWindowEvent(VclWindowEvent const&) (/toolkit/source/awt/vclxaccessiblecomponent.cxx:210)
>    by 0xD1FAEC0: VCLXAccessibleComponent::WindowEventListener(VclWindowEvent&) (/toolkit/source/awt/vclxaccessiblecomponent.cxx:125)
>    by 0xD1F9C87: VCLXAccessibleComponent::LinkStubWindowEventListener(void*, VclWindowEvent&) (/toolkit/source/awt/vclxaccessiblecomponent.cxx:114)
>    by 0xE797CD7: Link<VclWindowEvent&, void>::Call(VclWindowEvent&) const (/include/tools/link.hxx:84)
>    by 0xE794189: vcl::Window::CallEventListeners(unsigned long, void*) (/vcl/source/window/event.cxx:240)
>    by 0xE8EDC9F: vcl::Window::dispose() (/vcl/source/window/window.cxx:172)
>    by 0xE875B9B: StatusBar::dispose() (/vcl/source/window/status.cxx:170)
>    by 0xEAD71EE: VclReferenceBase::disposeOnce() (/vcl/source/outdev/vclreferencebase.cxx:42)
>    by 0x3AA25A76: VclPtr<StatusBar>::disposeAndClear() (/include/vcl/vclptr.hxx:231)
>    by 0x3AC1CF0D: framework::StatusBarManager::dispose() (/framework/source/uielement/statusbarmanager.cxx:202)
>    by 0x3AC2936D: framework::StatusBarWrapper::dispose() (/framework/source/uielement/statusbarwrapper.cxx:75)
>    by 0x3AA4F246: framework::LayoutManager::implts_destroyStatusBar() (/framework/source/layoutmanager/layoutmanager.cxx:840)
>    by 0x3AA4EF68: framework::LayoutManager::implts_destroyElements() (/framework/source/layoutmanager/layoutmanager.cxx:443)
>    by 0x3AA4ED7E: framework::LayoutManager::implts_reset(bool) (/framework/source/layoutmanager/layoutmanager.cxx:412)
>    by 0x3AA5E683: framework::LayoutManager::frameAction(com::sun::star::frame::FrameActionEvent const&) (/framework/source/layoutmanager/layoutmanager.cxx:2814)
>    by 0x3AB0A30C: (anonymous namespace)::Frame::implts_sendFrameActionEvent(com::sun::star::frame::FrameAction const&) (/framework/source/services/frame.cxx:3110)
>    by 0x3AB0299D: (anonymous namespace)::Frame::setComponent(com::sun::star::uno::Reference<com::sun::star::awt::XWindow> const&, com::sun::star::uno::Reference<com::sun::star::frame::XController> const&) (/framework/source/services/frame.cxx:1557)
>    by 0x3AB055AB: (anonymous namespace)::Frame::close(unsigned char) (/framework/source/services/frame.cxx:1801)
>    by 0x3AAF1DC4: framework::Desktop::impl_closeFrames(bool) (/framework/source/services/desktop.cxx:1698)
>    by 0x3AAF132A: framework::Desktop::terminate() (/framework/source/services/desktop.cxx:230)
>    by 0x3A9D71CA: framework::CloseDispatcher::implts_terminateApplication() (/framework/source/dispatch/closedispatcher.cxx:562)
>    by 0x3A9D632C: framework::CloseDispatcher::impl_asyncCallback(LinkParamNone*) (/framework/source/dispatch/closedispatcher.cxx:410)
>    by 0x3A9D49D7: framework::CloseDispatcher::LinkStubimpl_asyncCallback(void*, LinkParamNone*) (/framework/source/dispatch/closedispatcher.cxx:254)
>    by 0xE9B4BE7: Link<LinkParamNone*, void>::Call(LinkParamNone*) const (/include/tools/link.hxx:84)
>    by 0xEE027A7: vcl::EventPoster::DoEvent_Impl(void*) (/vcl/source/helper/evntpost.cxx:52)
>    by 0xEE02767: vcl::EventPoster::LinkStubDoEvent_Impl(void*, void*) (/vcl/source/helper/evntpost.cxx:48)
>    by 0xE91FC17: Link<void*, void>::Call(void*) const (/include/tools/link.hxx:84)
>    by 0xE91CE8B: ImplHandleUserEvent(ImplSVEvent*) (/vcl/source/window/winproc.cxx:1957)
>    by 0xE91A33F: ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (/vcl/source/window/winproc.cxx:2507)
>    by 0xEFEA88D: SalFrame::CallCallback(SalEvent, void const*) const (/vcl/inc/salframe.hxx:276)
>    by 0xEFFF457: SalGenericDisplay::DispatchInternalEvent() (/vcl/unx/generic/app/gendisp.cxx:86)
>  Address 0x6ccc64b0 is 32 bytes inside a block of size 56 free'd
>    at 0x4C2D22A: operator delete(void*) (/builddir/build/BUILD/valgrind-3.11.0/coregrind/m_replacemalloc/vg_replace_malloc.c:576)
>    by 0xE875B47: StatusBar::dispose() (/vcl/source/window/status.cxx:165)

It looks rather pointless that StatusBar::dispose causes instantiation of a
VCLXAccessibleStatusBar, but not sure what would be the right level to fix this.
So work around it by making the pointlessly pointer mpItemList non-pointer, and
clearing it in StatusBar::dispose, so that a latter call to
StatusBar::GetItemCount returns 0 (which appears to be OK for the needs of that
zombie VCLXAccessibleStatusBar).

Change-Id: I1e982a335cb78e87a6c16633174bca76b59c6049
---
 include/vcl/status.hxx | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'include/vcl/status.hxx')

diff --git a/include/vcl/status.hxx b/include/vcl/status.hxx
index a270663ed362..518ba6ab4a62 100644
--- a/include/vcl/status.hxx
+++ b/include/vcl/status.hxx
@@ -27,8 +27,6 @@
 #include <vector>
 
 struct ImplStatusItem;
-typedef ::std::vector< ImplStatusItem* > ImplStatusItemList;
-
 
 void VCL_DLLPUBLIC DrawProgress(vcl::Window* pWindow, vcl::RenderContext& rRenderContext, const Point& rPos,
                                 long nOffset, long nPrgsWidth, long nPrgsHeight,
@@ -61,7 +59,7 @@ class VCL_DLLPUBLIC StatusBar : public vcl::Window
 {
     class   ImplData;
 private:
-    ImplStatusItemList* mpItemList;
+    std::vector<ImplStatusItem *> mpItemList;
     ImplData*           mpImplData;
     OUString            maPrgsTxt;
     Point               maPrgsTxtPos;
-- 
cgit