From 583185235389b55d6cfffac3067c0e1ccb2852b1 Mon Sep 17 00:00:00 2001
From: Justin Luth <justin_luth@sil.org>
Date: Wed, 2 Feb 2022 11:00:07 +0200
Subject: related tdf#145868 sd: Clone SvxSearchItem to avoid use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I tested "if (mpSearchItem)" which passed, but then it
crashed when trying to access (*mpSearchItem) == (*pSearchItem)
because the mpSearchItem's DTOR had already been called
prior to the if(mpSearchItem).

Since mpSearchItem is never compared to another
memory pointer, it is safe to assign it to a Clone.

Steps to reproduce:
1.) open Impress and search for something
2.) change the search string to something else
3.) search again.

Note that there isn't currently any code that hits this.
I discovered it trying to craft a fix for bug 145868.

Change-Id: Idc5f5a3e812ed3e49631347c35c3f4b2d8bb4127
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129347
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Justin Luth <jluth@mail.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 sd/inc/Outliner.hxx            | 2 +-
 sd/source/ui/view/Outliner.cxx | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

(limited to 'sd')

diff --git a/sd/inc/Outliner.hxx b/sd/inc/Outliner.hxx
index 772040f7a610..4a7100db3bb1 100644
--- a/sd/inc/Outliner.hxx
+++ b/sd/inc/Outliner.hxx
@@ -316,7 +316,7 @@ private:
         search.  It is set every time the
         <member>SearchAndReplaceAll</member> method is called.
     */
-    const SvxSearchItem* mpSearchItem;
+    std::unique_ptr<const SvxSearchItem> mpSearchItem;
 
     /// The actual object iterator.
     ::sd::outliner::Iterator maObjectIterator;
diff --git a/sd/source/ui/view/Outliner.cxx b/sd/source/ui/view/Outliner.cxx
index 0f77f2070219..23353ba87c82 100644
--- a/sd/source/ui/view/Outliner.cxx
+++ b/sd/source/ui/view/Outliner.cxx
@@ -154,7 +154,6 @@ SdOutliner::SdOutliner( SdDrawDocument* pDoc, OutlinerMode nMode )
       meStartEditMode(EditMode::Page),
       mnStartPageIndex(sal_uInt16(-1)),
       mpStartEditedObject(nullptr),
-      mpSearchItem(nullptr),
       mbPrepareSpellingPending(true)
 {
     SetStyleSheetPool(static_cast<SfxStyleSheetPool*>( mpDrawDocument->GetStyleSheetPool() ));
@@ -464,7 +463,7 @@ bool SdOutliner::StartSearchAndReplace (const SvxSearchItem* pSearchItem)
     if ( ! bAbort)
     {
         meMode = SEARCH;
-        mpSearchItem = pSearchItem;
+        mpSearchItem = std::unique_ptr<SvxSearchItem>(pSearchItem->Clone());
 
         mbFoundObject = false;
 
-- 
cgit