include/oox/vml/vmlshapecontainer.hxx | 8 ++++----
include/oox/vml/vmlshapecontext.hxx | 9 +++++----
oox/source/vml/vmlshapecontainer.cxx | 4 ++--
oox/source/vml/vmlshapecontext.cxx | 30 ++++++++++++++++++------------
4 files changed, 29 insertions(+), 22 deletions(-)
New commits:
commit 561cf96d8e91adf141d165b818bb2be6e3e97f90
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Sep 13 10:48:38 2017 +0200
tdf#112311 oox: fix UAF of std::shared_ptr
OOXMLFastContextHandlerShape::sendShape() deletes the parent context's
ShapeTypeContext::mrTypeModel.
It looks like the sendShape() can't be delayed because writerfilter
wants to import the v:textbox content into a text frame.
Keep the shape alive until the end of the containing context.
Not sure if it's going to process the v:fill element properly,
but at lest valgrind is happy.
(probably regression from CWS writerfilter32bugfixes01)
Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0
(cherry picked from commit 88c84e71e2559ec6d0b4f8c5101a149daa4a2b2b)
Reviewed-on: https://gerrit.libreoffice.org/42249
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/include/oox/vml/vmlshapecontainer.hxx
b/include/oox/vml/vmlshapecontainer.hxx
index 76e294fc279d..692beafad555 100644
--- a/include/oox/vml/vmlshapecontainer.hxx
+++ b/include/oox/vml/vmlshapecontainer.hxx
@@ -61,10 +61,10 @@ public:
Drawing& getDrawing() { return mrDrawing; }
/** Creates and returns a new shape template object. */
- ShapeType& createShapeType();
+ std::shared_ptr<ShapeType> createShapeType();
/** Creates and returns a new shape object of the specified type. */
template< typename ShapeT >
- ShapeT& createShape();
+ std::shared_ptr<ShapeT> createShape();
/** Final processing after import of the drawing fragment. */
void finalizeFragmentImport();
@@ -123,11 +123,11 @@ private:
template< typename ShapeT >
-ShapeT& ShapeContainer::createShape()
+std::shared_ptr<ShapeT> ShapeContainer::createShape()
{
std::shared_ptr< ShapeT > xShape( new ShapeT( mrDrawing ) );
maShapes.push_back( xShape );
- return *xShape;
+ return xShape;
}
template< typename Functor >
diff --git a/include/oox/vml/vmlshapecontext.hxx
b/include/oox/vml/vmlshapecontext.hxx
index 1c1565b62397..14533b8b35ab 100644
--- a/include/oox/vml/vmlshapecontext.hxx
+++ b/include/oox/vml/vmlshapecontext.hxx
@@ -99,7 +99,7 @@ class ShapeTypeContext : public ShapeContextBase
public:
explicit ShapeTypeContext(
::oox::core::ContextHandler2Helper& rParent,
- ShapeType& rShapeType,
+ std::shared_ptr<ShapeType> const& pShapeType,
const AttributeList& rAttribs );
virtual ::oox::core::ContextHandlerRef
@@ -113,6 +113,7 @@ private:
OptValue< OUString > decodeFragmentPath( const AttributeList& rAttribs,
sal_Int32 nToken ) const;
private:
+ std::shared_ptr<ShapeType> m_pShapeType;
ShapeTypeModel& mrTypeModel;
};
@@ -122,7 +123,7 @@ class ShapeContext : public ShapeTypeContext
public:
explicit ShapeContext(
::oox::core::ContextHandler2Helper& rParent,
- ShapeBase& rShape,
+ std::shared_ptr<ShapeBase> pShape,
const AttributeList& rAttribs );
virtual ::oox::core::ContextHandlerRef
@@ -155,7 +156,7 @@ class GroupShapeContext : public ShapeContext
public:
explicit GroupShapeContext(
::oox::core::ContextHandler2Helper& rParent,
- GroupShape& rShape,
+ std::shared_ptr<GroupShape> pShape,
const AttributeList& rAttribs );
virtual ::oox::core::ContextHandlerRef
@@ -172,7 +173,7 @@ public:
explicit RectangleShapeContext(
::oox::core::ContextHandler2Helper& rParent,
const AttributeList& rAttribs,
- RectangleShape& rShape );
+ std::shared_ptr<RectangleShape> pShape);
virtual ::oox::core::ContextHandlerRef
onCreateContext( sal_Int32 nElement, const
AttributeList& rAttribs ) override;
diff --git a/oox/source/vml/vmlshapecontainer.cxx
b/oox/source/vml/vmlshapecontainer.cxx
index 055365202d5d..31359f862fba 100644
--- a/oox/source/vml/vmlshapecontainer.cxx
+++ b/oox/source/vml/vmlshapecontainer.cxx
@@ -59,11 +59,11 @@ ShapeContainer::~ShapeContainer()
{
}
-ShapeType& ShapeContainer::createShapeType()
+std::shared_ptr<ShapeType> ShapeContainer::createShapeType()
{
std::shared_ptr< ShapeType > xShape( new ShapeType( mrDrawing ) );
maTypes.push_back( xShape );
- return *xShape;
+ return xShape;
}
void ShapeContainer::finalizeFragmentImport()
diff --git a/oox/source/vml/vmlshapecontext.cxx
b/oox/source/vml/vmlshapecontext.cxx
index 9311351601d5..fc5a15dcb289 100644
--- a/oox/source/vml/vmlshapecontext.cxx
+++ b/oox/source/vml/vmlshapecontext.cxx
@@ -266,9 +266,12 @@ ContextHandlerRef ShapeContextBase::createShapeContext(
ContextHandler2Helper& r
return nullptr;
}
-ShapeTypeContext::ShapeTypeContext( ContextHandler2Helper& rParent, ShapeType&
rShapeType, const AttributeList& rAttribs ) :
- ShapeContextBase( rParent ),
- mrTypeModel( rShapeType.getTypeModel() )
+ShapeTypeContext::ShapeTypeContext(ContextHandler2Helper& rParent,
+ std::shared_ptr<ShapeType> const& pShapeType,
+ const AttributeList& rAttribs)
+ : ShapeContextBase(rParent)
+ , m_pShapeType(pShapeType) // tdf#112311 keep it alive
+ , mrTypeModel( pShapeType->getTypeModel() )
{
// shape identifier and shape name
bool bHasOspid = rAttribs.hasAttribute( O_TOKEN( spid ) );
@@ -439,10 +442,11 @@ void ShapeTypeContext::setStyle( const OUString& rStyle )
}
}
-ShapeContext::ShapeContext( ContextHandler2Helper& rParent, ShapeBase& rShape,
const AttributeList& rAttribs ) :
- ShapeTypeContext( rParent, rShape, rAttribs ),
- mrShape( rShape ),
- mrShapeModel( rShape.getShapeModel() )
+ShapeContext::ShapeContext(ContextHandler2Helper& rParent,
+ std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs)
+ : ShapeTypeContext( rParent, pShape, rAttribs )
+ , mrShape( *pShape )
+ , mrShapeModel( pShape->getShapeModel() )
{
// collect shape specific attributes
mrShapeModel.maType = rAttribs.getXString( XML_type, OUString() );
@@ -529,9 +533,10 @@ void ShapeContext::setVmlPath( const OUString& rPath )
mrShapeModel.maVmlPath = rPath;
}
-GroupShapeContext::GroupShapeContext( ContextHandler2Helper& rParent,
GroupShape& rShape, const AttributeList& rAttribs ) :
- ShapeContext( rParent, rShape, rAttribs ),
- mrShapes( rShape.getChildren() )
+GroupShapeContext::GroupShapeContext(ContextHandler2Helper& rParent,
+ std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs)
+ : ShapeContext( rParent, pShape, rAttribs )
+ , mrShapes( pShape->getChildren() )
{
}
@@ -543,8 +548,9 @@ ContextHandlerRef GroupShapeContext::onCreateContext(
sal_Int32 nElement, const
return xContext.get() ? xContext : ShapeContext::onCreateContext(
nElement, rAttribs );
}
-RectangleShapeContext::RectangleShapeContext( ContextHandler2Helper& rParent,
const AttributeList& rAttribs, RectangleShape& rShape ) :
- ShapeContext( rParent, rShape, rAttribs )
+RectangleShapeContext::RectangleShapeContext(ContextHandler2Helper& rParent,
+ const AttributeList& rAttribs, std::shared_ptr<RectangleShape> pShape)
+ : ShapeContext( rParent, pShape, rAttribs )
{
}
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
