sw/source/core/doc/DocumentContentOperationsManager.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 419067c29fe8f94f217d87418b8423ca9a734cf8
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Sat Dec 7 15:37:51 2019 +0100
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Sun Dec 8 16:08:28 2019 +0100
Fix heap-use-after-free
...after 91b2325808a75174f284c48c8b8afc118fad74e4 "tdf#121300 sw:
consistent fly
at-pargraph selection", as seen with ASan during UITest_writer_tests6 (see
also
<https://ci.libreoffice.org/job/lo_ubsan/1472/>):
> ERROR: AddressSanitizer: heap-use-after-free on address 0x6040006ec168 at
pc 0x7f75b9ee9c81 bp 0x7f75d168a410 sp 0x7f75d168a408
> READ of size 4 at 0x6040006ec168 thread T41 (cppu_threadpool)
> #0 in SwFormatAnchor::GetAnchorId() const at sw/inc/fmtanchr.hxx:65:44
> #1 in sw::DocumentContentOperationsManager::CopyImplImpl(SwPaM&,
SwPosition&, bool, SwPaM*) const at
sw/source/core/doc/DocumentContentOperationsManager.cxx:4863:30
> #2 in sw::DocumentContentOperationsManager::CopyImpl(SwPaM&,
SwPosition&, bool, SwPaM*) const at
sw/source/core/doc/DocumentContentOperationsManager.cxx:4432:16
> #3 in sw::DocumentContentOperationsManager::CopyRange(SwPaM&,
SwPosition&, bool, bool) const at
sw/source/core/doc/DocumentContentOperationsManager.cxx:1868:16
> #4 in SwFEShell::Paste(SwDoc*) at
sw/source/core/frmedt/fecopy.cxx:1038:62
[...]
> 0x6040006ec168 is located 24 bytes inside of 40-byte region
[0x6040006ec150,0x6040006ec178)
> freed by thread T41 (cppu_threadpool) here:
> #0 in operator delete(void*, unsigned long) at
/home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3
> #1 in SwFormatAnchor::~SwFormatAnchor() at
sw/source/core/layout/atrfrm.cxx:1473:1
> #2 in SfxItemPool::Remove(SfxPoolItem const&) at
svl/source/items/itempool.cxx:741:13
> #3 in SfxItemSet::~SfxItemSet() at svl/source/items/itemset.cxx:252:42
> #4 in SwAttrSet::~SwAttrSet() at sw/inc/swatrset.hxx:161:20
> #5 in SwFormat::SetFormatAttr(SfxPoolItem const&) at
sw/source/core/attr/format.cxx:541:5
> #6 in sw::DocumentContentOperationsManager::CopyImplImpl(SwPaM&,
SwPosition&, bool, SwPaM*) const at
sw/source/core/doc/DocumentContentOperationsManager.cxx:4861:27
> #7 in sw::DocumentContentOperationsManager::CopyImpl(SwPaM&,
SwPosition&, bool, SwPaM*) const at
sw/source/core/doc/DocumentContentOperationsManager.cxx:4432:16
> #8 in sw::DocumentContentOperationsManager::CopyRange(SwPaM&,
SwPosition&, bool, bool) const at
sw/source/core/doc/DocumentContentOperationsManager.cxx:1868:16
> #9 in SwFEShell::Paste(SwDoc*) at
sw/source/core/frmedt/fecopy.cxx:1038:62
[...]
Change-Id: I7a31e9dbb6fa1cdf938420a9a949b125c66e3ce2
Reviewed-on: https://gerrit.libreoffice.org/84683
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
(cherry picked from commit 546cbc9182589e9fec1dc0a23f1af07ddfbc576c)
Reviewed-on: https://gerrit.libreoffice.org/84691
Reviewed-by: Michael Stahl <michael.st...@cib.de>
diff --git a/sw/source/core/doc/DocumentContentOperationsManager.cxx
b/sw/source/core/doc/DocumentContentOperationsManager.cxx
index 7f03a5c96b6e..6ead169ec498 100644
--- a/sw/source/core/doc/DocumentContentOperationsManager.cxx
+++ b/sw/source/core/doc/DocumentContentOperationsManager.cxx
@@ -4877,7 +4877,7 @@ bool
DocumentContentOperationsManager::CopyImplImpl(SwPaM& rPam, SwPosition& rPo
anchor.SetAnchor( &startPos );
pFly->SetFormatAttr(anchor);
}
- if (pAnchor->GetAnchorId() == RndStdIds::FLY_AT_PARA)
+ else if (pAnchor->GetAnchorId() == RndStdIds::FLY_AT_PARA)
{
SwFormatAnchor anchor(*pAnchor);
anchor.SetAnchor( &startPosAtPara );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
