sw/source/core/undo/undraw.cxx | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 0c49f0f8a16cf3eeb887b6c68213d00bbd56a3eb
Author: Miklos Vajna <vmik...@collabora.com>
AuthorDate: Thu Nov 7 18:13:01 2019 +0100
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Thu Nov 7 19:11:54 2019 +0100
Related: tdf#128603 sw textbox: fix use-after-free
lcl_RestoreAnchor() needs to decide if if wants to not copy the old
anchor (and keep reading it via a reference) or it wants to update the
item set, it can't do both at the same time. The reason for this is that
the item set update works by deleting the old pool item and allocating a
new one, it doesn't work by updating the old pool item.
I believe this was always broken, but now sanitizers found the issue
since the cppunit test for the above bug was added recently.
Change-Id: Ic08d60eb522a62d78cb2b0ea6a4cda328f8fb80b
Reviewed-on: https://gerrit.libreoffice.org/82245
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
diff --git a/sw/source/core/undo/undraw.cxx b/sw/source/core/undo/undraw.cxx
index e5a7b6974541..b86890723a31 100644
--- a/sw/source/core/undo/undraw.cxx
+++ b/sw/source/core/undo/undraw.cxx
@@ -164,9 +164,10 @@ static void lcl_RestoreAnchor( SwFrameFormat* pFormat,
sal_uLong nNodePos )
aPos.nContent.Assign( aIdx.GetNode().GetContentNode(), nContentPos
);
}
aTmp.SetAnchor( &aPos );
+ RndStdIds nAnchorId = rAnchor.GetAnchorId();
pFormat->SetFormatAttr( aTmp );
- if (RndStdIds::FLY_AS_CHAR == rAnchor.GetAnchorId())
+ if (RndStdIds::FLY_AS_CHAR == nAnchorId)
{
SwTextNode *pTextNd = aIdx.GetNode().GetTextNode();
OSL_ENSURE( pTextNd, "no Text Node" );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
