[Libreoffice-commits] core.git: sw/source

[Stephan Bergmann (via logerrit)]

 sw/source/core/layout/paintfrm.cxx |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

New commits:
commit 9cf2df5eb9e7da89492f040d0b74d40919c6d12c
Author:     Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Wed Jul 24 16:27:05 2019 +0200
Commit:     Stephan Bergmann <sberg...@redhat.com>
CommitDate: Thu Jul 25 09:21:58 2019 +0200

    Avoid using invalidated rRect
    
    ...as happens during `convert-to pdf doc/ooo107799-1.doc` (i.e., oracle 
apex.doc
    attached at <https://bz.apache.org/ooo/show_bug.cgi?id=107799#c1>):
    
    > ==29889==ERROR: AddressSanitizer: heap-use-after-free on address 
0x61200034f548 at pc 0x0000002ebcaa bp 0x7fff9666f320 sp 0x7fff9666ead0
    > READ of size 16 at 0x61200034f548 thread T0
    >  #0 in __asan_memcpy at 
/home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3
    >  #1 in SwRect::SwRect(SwRect const&) at sw/inc/swrect.hxx:313:5
    >  #2 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, 
SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:2971:12
    >  #3 in SwViewShell::PrintOrPDFExport(OutputDevice*, SwPrintData const&, 
int, bool) at sw/source/core/view/vprint.cxx:542:30
    >  #4 in SwXTextDocument::render(int, com::sun::star::uno::Any const&, 
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at 
sw/source/uibase/uno/unotxdoc.cxx:3026:32
    >  #5 in PDFExport::ExportSelection(vcl::PDFWriter&, 
com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, 
com::sun::star::uno::Any const&, StringRangeEnumerator const&, 
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) at 
filter/source/pdf/pdfexport.cxx:227:34
    >  #6 in PDFExport::Export(rtl::OUString const&, 
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at 
filter/source/pdf/pdfexport.cxx:939:28
    >
    > 0x61200034f548 is located 8 bytes inside of 272-byte region 
[0x61200034f540,0x61200034f650)
    > freed by thread T0 here:
    >  #0 in operator delete(void*, unsigned long) at 
/home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cc:172:3
    >  #1 in SwPageFrame::~SwPageFrame() at 
sw/source/core/layout/pagechg.cxx:301:1
    >  #2 in SwFrame::DestroyFrame(SwFrame*) at 
sw/source/core/layout/ssfrm.cxx:389:9
    >  #3 in SwRootFrame::RemovePage(SwPageFrame**, SwRemoveResult) at 
sw/source/core/layout/pagechg.cxx:1426:5
    >  #4 in SwRootFrame::RemoveSuperfluous() at 
sw/source/core/layout/pagechg.cxx:1501:13
    >  #5 in SwLayAction::InternalAction(OutputDevice*) at 
sw/source/core/layout/layact.cxx:494:30
    >  #6 in SwLayAction::Action(OutputDevice*) at 
sw/source/core/layout/layact.cxx:349:5
    >  #7 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, 
SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:2965:17
    >  #8 in SwViewShell::PrintOrPDFExport(OutputDevice*, SwPrintData const&, 
int, bool) at sw/source/core/view/vprint.cxx:542:30
    >  #9 in SwXTextDocument::render(int, com::sun::star::uno::Any const&, 
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at 
sw/source/uibase/uno/unotxdoc.cxx:3026:32
    
    Change-Id: I2931920d19d535f569c61fb9d7f1ce21bf7a0d88
    Reviewed-on: https://gerrit.libreoffice.org/76270
    Reviewed-by: Michael Stahl <michael.st...@cib.de>
    Tested-by: Jenkins

diff --git a/sw/source/core/layout/paintfrm.cxx 
b/sw/source/core/layout/paintfrm.cxx
index 61898a818771..36f1cd69ff5d 100644
--- a/sw/source/core/layout/paintfrm.cxx
+++ b/sw/source/core/layout/paintfrm.cxx
@@ -2933,6 +2933,10 @@ void SwRootFrame::PaintSwFrame(vcl::RenderContext& 
rRenderContext, SwRect const&
     ::SwCalcPixStatics( pSh->GetOut() );
     aGlobalRetoucheColor = pSh->Imp()->GetRetoucheColor();
 
+    // Copy rRect; for one, rRect could become dangling during the below 
action, and for another it
+    // needs to be copied to aRect anyway as that is modified further down 
below:
+    SwRect aRect( rRect );
+
     //Trigger an action to clear things up if needed.
     //Using this trick we can ensure that all values are valid in all paints -
     //no problems, no special case(s).
@@ -2968,7 +2972,6 @@ void SwRootFrame::PaintSwFrame(vcl::RenderContext& 
rRenderContext, SwRect const&
             pSh->Imp()->DelRegion();
     }
 
-    SwRect aRect( rRect );
     aRect.Intersection( pSh->VisArea() );
 
     const bool bExtraData = ::IsExtraData( GetFormat()->GetDoc() );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits