source

Miklos Vajna Tue, 16 Jan 2018 04:36:42 -0800

 sw/qa/extras/uiwriter/data/tdf114536.odt |binary
 sw/qa/extras/uiwriter/uiwriter.cxx       |    9 +++++++++
 sw/source/core/text/itrform2.cxx         |   13 +++++++++++++
 3 files changed, 22 insertions(+)


New commits:
commit ecd855794b22c0f7e6fb2f362b566c4d9c5f624a
Author: Miklos Vajna <vmik...@collabora.co.uk>
Date:   Mon Jan 15 22:29:31 2018 +0100

    tdf#114536 sw: fix use-after-free in SwTextFormatter::MergeCharacterBorder()
    
    SwTextFormatter::Underflow() truncated a line portion, which deletes the
    rest of the line portions, but left m_pFirstOfBorderMerge unchanged,
    leading to a crash when SwTextFormatter::MergeCharacterBorder() tried to
    access it.
    
    Fix the problem by updating the non-owning m_pFirstOfBorderMerge
    accordingly when truncating the line portion.
    
    Change-Id: I5e445bbe2424d70d60c363fa4e3a00636e282325
    Reviewed-on: https://gerrit.libreoffice.org/47923
    Reviewed-by: Miklos Vajna <vmik...@collabora.co.uk>
    Tested-by: Jenkins <c...@libreoffice.org>

diff --git a/sw/qa/extras/uiwriter/data/tdf114536.odt 
b/sw/qa/extras/uiwriter/data/tdf114536.odt
new file mode 100644
index 000000000000..4ad9c7f1f494
Binary files /dev/null and b/sw/qa/extras/uiwriter/data/tdf114536.odt differ
diff --git a/sw/qa/extras/uiwriter/uiwriter.cxx 
b/sw/qa/extras/uiwriter/uiwriter.cxx
index 9f4597486f3e..1e8d7431bc52 100644
--- a/sw/qa/extras/uiwriter/uiwriter.cxx
+++ b/sw/qa/extras/uiwriter/uiwriter.cxx
@@ -296,6 +296,7 @@ public:
     void testTdf114306();
     void testTdf113481();
     void testTdf115013();
+    void testTdf114536();
 
     CPPUNIT_TEST_SUITE(SwUiWriterTest);
     CPPUNIT_TEST(testReplaceForward);
@@ -471,6 +472,7 @@ public:
     CPPUNIT_TEST(testTdf114306);
     CPPUNIT_TEST(testTdf113481);
     CPPUNIT_TEST(testTdf115013);
+    CPPUNIT_TEST(testTdf114536);
     CPPUNIT_TEST_SUITE_END();
 
 private:
@@ -5546,6 +5548,13 @@ void SwUiWriterTest::testSectionInTableInTable()
     createDoc("tdf112109.fodt");
 }
 
+void SwUiWriterTest::testTdf114536()
+{
+    // This crashed in SwTextFormatter::MergeCharacterBorder() due to a
+    // use after free.
+    createDoc("tdf114536.odt");
+}
+
 void SwUiWriterTest::testSectionInTableInTable2()
 {
     createDoc("split-section-in-nested-table.fodt");
diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx
index 2b7d853ee734..c4df1a42e81e 100644
--- a/sw/source/core/text/itrform2.cxx
+++ b/sw/source/core/text/itrform2.cxx
@@ -268,6 +268,19 @@ SwLinePortion *SwTextFormatter::Underflow( 
SwTextFormatInfo &rInf )
             pPor = m_pCurr;
         }
     }
+
+    // Make sure that m_pFirstOfBorderMerge does not point to a portion which
+    // will be deleted by Truncate() below.
+    SwLinePortion* pNext = pPor->GetPortion();
+    while (pNext)
+    {
+        if (pNext == m_pFirstOfBorderMerge)
+        {
+            m_pFirstOfBorderMerge = nullptr;
+            break;
+        }
+        pNext = pNext->GetPortion();
+    }
     pPor->Truncate();
     SwLinePortion *const pRest( rInf.GetRest() );
     if (pRest && pRest->InFieldGrp() &&
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: sw/qa sw/source

Reply via email to