From dbfa3841018672d8af8e9bf1bdb4caf6cdf0ce7d Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Thu, 24 Nov 2016 14:18:05 +0100 Subject: tdf#103788 sw: fix use-after-free in navigator dialog The problem is that if SwContentTree::HasContentChanged() returns true, it may have deleted the SwTypeNumber instances that are referenced in SvTreeListEntry::pUserData, but it has not reset pUserData so those pointers are now used to acceess deleted objects. Also it looks like the HasContentChanged() detects additional conditions that would not cause a modified event from the document but should still cause a repaint, such as when the user moves the cursor between headings. Revert the optimization, it was a stupid idea. (regression from 329742e6c9da7cd7848d92a6846e3d1249d8d9b4) Change-Id: Idb5207e896b0638324fc41b7c214536be4ba864b (cherry picked from commit cbdf4e007650cfda4f7808402e8e24ae66d45792) Reviewed-on: https://gerrit.libreoffice.org/31194 Tested-by: Jenkins Reviewed-by: Michael Stahl --- sw/source/uibase/inc/conttree.hxx | 1 - sw/source/uibase/utlui/content.cxx | 16 ++-------------- 2 files changed, 2 insertions(+), 15 deletions(-) (limited to 'sw') diff --git a/sw/source/uibase/inc/conttree.hxx b/sw/source/uibase/inc/conttree.hxx index 525d11fe4fd2..4dd2bf4db31a 100644 --- a/sw/source/uibase/inc/conttree.hxx +++ b/sw/source/uibase/inc/conttree.hxx @@ -96,7 +96,6 @@ class SwContentTree bool m_bIsOutlineMoveable :1; bool m_bViewHasChanged :1; bool m_bIsImageListInitialized : 1; - bool m_bActiveDocModified :1; static bool bIsInDrag; diff --git a/sw/source/uibase/utlui/content.cxx b/sw/source/uibase/utlui/content.cxx index 3ef1c67f0b6e..8493feca71c7 100644 --- a/sw/source/uibase/utlui/content.cxx +++ b/sw/source/uibase/utlui/content.cxx @@ -798,7 +798,6 @@ SwContentTree::SwContentTree(vcl::Window* pParent, SwNavigationPI* pDialog) , m_bIsOutlineMoveable(true) , m_bViewHasChanged(false) , m_bIsImageListInitialized(false) - , m_bActiveDocModified(false) , m_bIsKeySpace(false) { SetHelpId(HID_NAVIGATOR_TREELIST); @@ -1709,8 +1708,6 @@ void SwContentTree::Display( bool bActive ) sal_Int32 nDelta = pVScroll->GetThumbPos() - nOldScrollPos; ScrollOutputArea( (short)nDelta ); } - - m_bActiveDocModified = false; } void SwContentTree::Clear() @@ -2196,12 +2193,6 @@ void SwContentTree::SetConstantShell(SwWrtShell* pSh) void SwContentTree::Notify(SfxBroadcaster & rBC, SfxHint const& rHint) { - if (SFX_HINT_DOCCHANGED == rHint.GetId()) - { - m_bActiveDocModified = true; - return; - } - SfxViewEventHint const*const pVEHint(dynamic_cast(&rHint)); SwXTextView* pDyingShell = nullptr; if (m_pActiveShell && pVEHint && pVEHint->GetEventName() == "OnViewClosed") @@ -2409,11 +2400,8 @@ IMPL_LINK_NOARG(SwContentTree, TimerUpdate, Timer *, void) else if( (m_bIsActive || (m_bIsConstant && pActShell == GetWrtShell())) && HasContentChanged()) { - if (!m_bIsActive || m_bActiveDocModified) - { // don't burn cpu and redraw and flicker if not modified - FindActiveTypeAndRemoveUserData(); - Display(true); - } + FindActiveTypeAndRemoveUserData(); + Display(true); } } else if(!pView && m_bIsActive && !m_bIsIdleClear) -- cgit