sw/inc/fchrfmt.hxx | 6 +++++-
sw/source/core/doc/docnew.cxx | 12 ------------
sw/source/core/para/paratr.cxx | 1 +
sw/source/core/unocore/SwXTextDefaults.cxx | 3 +++
sw/source/core/unocore/unoobj.cxx | 4 +---
sw/source/core/unocore/unostyle.cxx | 5 ++++-
6 files changed, 14 insertions(+), 17 deletions(-)
New commits:
commit 6d51bb3d54ac52e4870bd00a21fce3a3b1c5010b
Author: Jochen Nitschke <j.nitschke+loger...@ok.de>
Date: Wed May 10 22:56:35 2017 +0200
tdf#106424 fix crash in SfxItemPool::Put
This fix reverts commit 304d3856c138fb54ff536f41be3eff26ab4d6315
Date: Wed Oct 16 07:55:09 2002 +0000
#103124# possible unremoved SwFmt object fixed
and commit fab98924e01f211c1d1fc5823c0867019b590c60
Date: Wed Oct 16 10:18:26 2002 +0000
#103152# possible unremoved SwFmt object fixed
as they are causing crashes:
http://crashreport.libreoffice.org/stats/signature
/SfxItemPool::Put(SfxPoolItem%20const%20&,unsigned%20short)
The comments suggest there was/is a use-after-free when
SwFormatCharFormat is changed with API. This happens in unoobj.cxx
and unostyle.cxx by SwFormatDrop::SetCharFormat().
With following changes:
commit bf2ae97a223df987d6b9bc649afe311b5421f61e
INTEGRATION: CWS os7 (1.64.4.3.34); FILE MERGED
2003/03/25 14:23:43 os 1.64.4.3.34.1: #104245# table mode added
to the SwXTextCursor::SetPropertyValue attribute list; 'Standard'
character format not allowed as drop cap char style
and commit 9625366d0b2fd36a57c6283a4a80c47b80d57707
INTEGRATION: CWS os8 (1.64.4.3.48); FILE MERGED
2003/04/09 09:11:53 os 1.64.4.3.48.3: #104245# Default not
allowed as DropCapCharStyleName, too
in unoobj.cxx, setting the documents' default SwFormatCharFormat is
rejected by throwing an exception. Likely to fix the same issue as
the first 2 commits.
So we do the same in unostyle.cxx now too.
Add an assert in SwFormatCharFormat::SetCharFormat and
SwFormatDrop::SetCharFormat, to uncover other changes to the default
SwFormatCharFormat or SwFormatDrop.
Such an case could happen in SwXTextDefaults::setPropertyValue
where we bail out now.
Change-Id: Iac59dffbd6285dd28d1000a8eacda8ffd3bdc962
Reviewed-on: https://gerrit.libreoffice.org/37499
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Michael Stahl <mst...@redhat.com>
diff --git a/sw/inc/fchrfmt.hxx b/sw/inc/fchrfmt.hxx
index 2d6c77f20d7d..90314b18d437 100644
--- a/sw/inc/fchrfmt.hxx
+++ b/sw/inc/fchrfmt.hxx
@@ -62,7 +62,11 @@ public:
virtual bool GetInfo( SfxPoolItem& rInfo ) const override;
- void SetCharFormat( SwFormat* pFormat ) { pFormat->Add(this); }
+ void SetCharFormat( SwFormat* pFormat )
+ {
+ assert(!pFormat->IsDefault()); // expose cases that lead to
use-after-free
+ pFormat->Add(this);
+ }
SwCharFormat* GetCharFormat() const { return
const_cast<SwCharFormat*>(static_cast<const SwCharFormat*>(GetRegisteredIn()));
}
};
#endif
diff --git a/sw/source/core/doc/docnew.cxx b/sw/source/core/doc/docnew.cxx
index cb2a35160691..3d7b813fe964 100644
--- a/sw/source/core/doc/docnew.cxx
+++ b/sw/source/core/doc/docnew.cxx
@@ -41,8 +41,6 @@
#include <svl/zforlist.hxx>
#include <unotools/lingucfg.hxx>
#include <svx/svdpage.hxx>
-#include <paratr.hxx>
-#include <fchrfmt.hxx>
#include <fmtcntnt.hxx>
#include <fmtanchr.hxx>
#include <fmtfsize.hxx>
@@ -384,16 +382,6 @@ SwDoc::~SwDoc()
delete mpGrammarContact;
mpGrammarContact = nullptr;
- //!! needs to be done to destroy a possible SwFormatDrop format that may
- //!! be connected to a char format which may not otherwise be removed
- //!! and thus would leave a unremoved SwFormat object. (TL)
- //!! (this is case is not possible via UI but via API...)
- SwFormatDrop aDrop;
- SetDefault(aDrop);
- //!! same for SwFormatCharFormat
- SwFormatCharFormat aCharFormat(nullptr);
- SetDefault(aCharFormat);
-
getIDocumentTimerAccess().StopIdling(); // stop idle timer
delete mpURLStateChgd;
diff --git a/sw/source/core/para/paratr.cxx b/sw/source/core/para/paratr.cxx
index a47786c373a2..aa76115b6528 100644
--- a/sw/source/core/para/paratr.cxx
+++ b/sw/source/core/para/paratr.cxx
@@ -64,6 +64,7 @@ SwFormatDrop::~SwFormatDrop()
void SwFormatDrop::SetCharFormat( SwCharFormat *pNew )
{
+ assert(!pNew->IsDefault()); // expose cases that lead to use-after-free
// Rewire
if ( GetRegisteredIn() )
GetRegisteredInNonConst()->Remove( this );
diff --git a/sw/source/core/unocore/SwXTextDefaults.cxx
b/sw/source/core/unocore/SwXTextDefaults.cxx
index fd3c90d5d1d6..17b62c0afd98 100644
--- a/sw/source/core/unocore/SwXTextDefaults.cxx
+++ b/sw/source/core/unocore/SwXTextDefaults.cxx
@@ -92,6 +92,9 @@ void SAL_CALL SwXTextDefaults::setPropertyValue( const
OUString& rPropertyName,
if(pStyle)
{
rtl::Reference< SwDocStyleSheet > xStyle( new SwDocStyleSheet(
*pStyle ) );
+ if (xStyle->GetCharFormat() == m_pDoc->GetDfltCharFormat())
+ return; // don't SetCharFormat with formats from
mpDfltCharFormat
+
if (RES_PARATR_DROP == pMap->nWID)
{
pDrop = static_cast<SwFormatDrop*>(rItem.Clone()); //
because rItem is const...
diff --git a/sw/source/core/unocore/unoobj.cxx
b/sw/source/core/unocore/unoobj.cxx
index 50e2289c0057..7983e3c1a9d5 100644
--- a/sw/source/core/unocore/unoobj.cxx
+++ b/sw/source/core/unocore/unoobj.cxx
@@ -414,9 +414,7 @@ lcl_setDropcapCharStyle(SwPaM & rPam, SfxItemSet & rItemSet,
SwDocStyleSheet *const pStyle = static_cast<SwDocStyleSheet*>(
pDoc->GetDocShell()
->GetStyleSheetPool()->Find(sStyle, SfxStyleFamily::Char));
- if (!pStyle ||
- (static_cast<SwDocStyleSheet*>(pStyle)->GetCharFormat() ==
- pDoc->GetDfltCharFormat()))
+ if (!pStyle || pStyle->GetCharFormat() == pDoc->GetDfltCharFormat())
{
throw lang::IllegalArgumentException();
}
diff --git a/sw/source/core/unocore/unostyle.cxx
b/sw/source/core/unocore/unostyle.cxx
index 7d83d0b147f4..f9d3a06acbf2 100644
--- a/sw/source/core/unocore/unostyle.cxx
+++ b/sw/source/core/unocore/unostyle.cxx
@@ -1921,8 +1921,11 @@ void SwXStyle::SetPropertyValue<RES_PARATR_DROP>(const
SfxItemPropertySimpleEntr
OUString sStyle;
SwStyleNameMapper::FillUIName(sValue, sStyle, SwGetPoolIdFromName::ChrFmt,
true);
auto
pStyle(static_cast<SwDocStyleSheet*>(m_pDoc->GetDocShell()->GetStyleSheetPool()->Find(sStyle,
SfxStyleFamily::Char)));
- if(!pStyle)
+ //default character style must not be set as default format
+ if(!pStyle || pStyle->GetCharFormat() == m_pDoc->GetDfltCharFormat() )
+ {
throw lang::IllegalArgumentException();
+ }
pDrop->SetCharFormat(pStyle->GetCharFormat());
rStyleSet.Put(*pDrop);
}
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
