sw/source/filter/ww8/ww8par.hxx | 7 +++----
sw/source/filter/ww8/ww8par2.cxx | 24 ++++++++++++++----------
2 files changed, 17 insertions(+), 14 deletions(-)
New commits:
commit f98d1986c3933710acfdb9ef19b5cfefaa27e69f
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Oct 2 09:24:19 2017 +0100
ofz#3527 ofz#3532 Invalid read of size 8
use numrule name to look up numrule instead of cached numrule pointer
in case it was deleted on failure to apply the numrule over an invalid range
Invalid read of size 8
at 0x1E875132: rtl::OUString::OUString(rtl::OUString const&)
(ustring.hxx:143)
by 0x1EB33D93: SwWW8ImplReader::StartAnl(unsigned char const*)
(ww8par2.cxx:1094)
by 0x1EB33003: SwWW8ImplReader::Read_ANLevelNo(unsigned short, unsigned
char const*, short) (ww8par2.cxx:910)
by 0x1EBA375D: SwWW8ImplReader::ImportSprm(unsigned char const*, int,
unsigned short) (ww8par6.cxx:6337)
by 0x1EAEEA24: SwWW8ImplReader::ReadTextAttr(int&, long, bool&)
(ww8par.cxx:3810)
by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&)
(ww8par.cxx:3921)
by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes)
(ww8par.cxx:4003)
by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*)
(ww8par.cxx:5219)
Address 0x31831158 is 200 bytes inside a block of size 248 free'd
at 0x4C2F21A: operator delete(void*) (vg_replace_malloc.c:576)
by 0x253BC1B5: SwDoc::DelNumRule(rtl::OUString const&, bool)
(docnum.cxx:1033)
by 0x25CB943D: SwFltControlStack::SetAttrInDoc(SwPosition const&,
SwFltStackEntry&) (fltshell.cxx:609)
by 0x1EAE5011: SwWW8FltControlStack::SetAttrInDoc(SwPosition const&,
SwFltStackEntry&) (ww8par.cxx:1445)
by 0x25CB8A9E: SwFltControlStack::SetAttr(SwPosition const&, unsigned
short, bool, long, bool) (fltshell.cxx:457)
by 0x1EAE420E: SwWW8FltControlStack::SetAttr(SwPosition const&, unsigned
short, bool, long, bool) (ww8par.cxx:1185)
by 0x1EAE5C12: SwWW8ImplReader::Read_Tab(unsigned short, unsigned char
const*, short) (ww8par.cxx:1625)
by 0x1EBA35F0: SwWW8ImplReader::EndSprm(unsigned short)
(ww8par6.cxx:6321)
by 0x1EAEEA44: SwWW8ImplReader::ReadTextAttr(int&, long, bool&)
(ww8par.cxx:3813)
by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&)
(ww8par.cxx:3921)
by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes)
(ww8par.cxx:4003)
by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*)
(ww8par.cxx:5219)
Change-Id: Ia7ab67e42fc7a162d8089722e77841285f72a671
Reviewed-on: https://gerrit.libreoffice.org/43029
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Michael Stahl <mst...@redhat.com>
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index b859a030ef5b..4c7944c28c0b 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -972,11 +972,10 @@ struct ApoTestResults
struct ANLDRuleMap
{
- SwNumRule* mpOutlineNumRule; // WinWord 6 numbering, variant 1
- SwNumRule* mpNumberingNumRule; // WinWord 6 numbering, variant 2
- SwNumRule* GetNumRule(sal_uInt8 nNumType);
+ OUString msOutlineNumRule; // WinWord 6 numbering, variant 1
+ OUString msNumberingNumRule; // WinWord 6 numbering, variant 2
+ SwNumRule* GetNumRule(SwDoc& rDoc, sal_uInt8 nNumType);
void SetNumRule(SwNumRule*, sal_uInt8 nNumType);
- ANLDRuleMap() : mpOutlineNumRule(nullptr), mpNumberingNumRule(nullptr) {}
};
struct SprmReadInfo;
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index b84b95729307..6ce9e4e5b161 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1016,17 +1016,21 @@ WW8LvlType GetNumType(sal_uInt8 nWwLevelNo)
return nRet;
}
-SwNumRule *ANLDRuleMap::GetNumRule(sal_uInt8 nNumType)
+SwNumRule *ANLDRuleMap::GetNumRule(SwDoc& rDoc, sal_uInt8 nNumType)
{
- return (WW8_Numbering == nNumType ? mpNumberingNumRule : mpOutlineNumRule);
+ const OUString& rNumRule = WW8_Numbering == nNumType ? msNumberingNumRule
: msOutlineNumRule;
+ if (rNumRule.isEmpty())
+ return nullptr;
+ return rDoc.FindNumRulePtr(rNumRule);
}
void ANLDRuleMap::SetNumRule(SwNumRule *pRule, sal_uInt8 nNumType)
{
+ OUString sNumRule = pRule ? pRule->GetName() : OUString();
if (WW8_Numbering == nNumType)
- mpNumberingNumRule = pRule;
+ msNumberingNumRule = sNumRule;
else
- mpOutlineNumRule = pRule;
+ msOutlineNumRule = sNumRule;
}
// StartAnl is called at the beginning of a row area that contains
@@ -1040,7 +1044,7 @@ void SwWW8ImplReader::StartAnl(const sal_uInt8* pSprm13)
return;
m_nWwNumType = nT;
- SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+ SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
// check for COL numbering:
SprmResult aS12; // sprmAnld
@@ -1108,7 +1112,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8*
pSprm13)
if (!m_bAnl)
return;
- SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+ SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
// pNd->UpdateNum without a set of rules crashes at the latest whilst
storing as sdw3
@@ -1116,7 +1120,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8*
pSprm13)
if (*pSprm13 == 10 || *pSprm13 == 11)
{
m_nSwNumLevel = 0;
- if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+ if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
{
// not defined yet
// sprmAnld o. 0
@@ -1129,7 +1133,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8*
pSprm13)
{
m_nSwNumLevel = *pSprm13 - 1; // outline
// undefined
- if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+ if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
{
if (m_xNumOlst) // there was a OLST
{
@@ -1183,7 +1187,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8
nNewType, bool bGoBack)
else
m_pCtrlStck->SetAttr(*m_pPaM->GetPoint(), RES_FLTR_NUMRULE);
- m_aANLDRules.mpNumberingNumRule = nullptr;
+ m_aANLDRules.msNumberingNumRule.clear();
/*
#i18816#
my take on this problem is that moving either way from an outline to a
@@ -1193,7 +1197,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8
nNewType, bool bGoBack)
(((m_nWwNumType == WW8_Outline) && (nNewType == WW8_Numbering)) ||
((m_nWwNumType == WW8_Numbering) && (nNewType == WW8_Outline)));
if (!bNumberingNotStopOutline)
- m_aANLDRules.mpOutlineNumRule = nullptr;
+ m_aANLDRules.msOutlineNumRule.clear();
m_nSwNumLevel = 0xff;
m_nWwNumType = WW8_None;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
