sw/source/core/doc/DocumentContentOperationsManager.cxx | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
New commits:
commit dc328fdfa709929377de2be5f86f2e811a5eaa21
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Oct 11 11:23:45 2021 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Mon Oct 11 14:41:45 2021 +0200
valgrind: use after free on applying "default character" character style
seen in writer in fresh document, type some text, right click for
context menu, select "character" submenu, and select "default character"
==3296268== Invalid write of size 8
==3296268== at 0x3E6EDE34: SwpHints::Register(SwRegHistory*)
(ndhints.hxx:195)
==3296268== by 0x3E6EDE88: SwpHints::DeRegister() (ndhints.hxx:197)
==3296268== by 0x3E747E06: (anonymous namespace)::lcl_InsAttr(SwDoc&,
SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*,
SwTextAttr**) (DocumentContentOperationsManager.cxx:1930)
==3296268== by 0x3E74449F:
sw::DocumentContentOperationsManager::InsertPoolItem(SwPaM const&, SfxPoolItem
const&, SetAttrMode, SwRootFrame const*, SwTextAttr**)
(DocumentContentOperationsManager.cxx:3505)
==3296268== by 0x3E9F3F12: SwEditShell::SetAttrItem(SfxPoolItem const&,
SetAttrMode, bool) (edatmisc.cxx:145)
==3296268== by 0x3F6F860F: SwDocShell::ApplyStyles(rtl::OUString const&,
SfxStyleFamily, SwWrtShell*, unsigned short) (docst.cxx:1154)
==3296268== by 0x3F6F5F94: SwDocShell::ExecStyleSheet(SfxRequest&)
(docst.cxx:505)
==3296268== by 0x3F983994: SwBaseShell::Execute(SfxRequest&)
(basesh.cxx:1071)
==3296268== by 0x3F981744: SfxStubSwBaseShellExecute(SfxShell*,
SfxRequest&) (swslots.hxx:2180)
==3296268== Address 0x4576dd00 is 176 bytes inside a block of size 192
free'd
==3296268== at 0x4843669: operator delete(void*)
(vg_replace_malloc.c:802)
==3296268== by 0x3E76A3C3:
std::default_delete<SwpHints>::operator()(SwpHints*) const (unique_ptr.h:85)
==3296268== by 0x3E76A31F: std::__uniq_ptr_impl<SwpHints,
std::default_delete<SwpHints> >::reset(SwpHints*) (unique_ptr.h:182)
==3296268== by 0x3E76A279: std::unique_ptr<SwpHints,
std::default_delete<SwpHints> >::reset(SwpHints*) (unique_ptr.h:456)
==3296268== by 0x3EFE14C5: SwTextNode::TryDeleteSwpHints()
(ndtxt.hxx:846)
==3296268== by 0x3F028AB2: SwTextNode::RstTextAttr(SwIndex const&, int,
unsigned short, SfxItemSet const*, bool, bool) (txtedt.cxx:631)
==3296268== by 0x3F003D77: SwTextNode::SetAttr(SfxItemSet const&, int,
int, SetAttrMode, SwTextAttr**) (thints.cxx:1908)
==3296268== by 0x3E747DE7: (anonymous namespace)::lcl_InsAttr(SwDoc&,
SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*,
SwTextAttr**) (DocumentContentOperationsManager.cxx:1928)
==3296268== by 0x3E74449F:
sw::DocumentContentOperationsManager::InsertPoolItem(SwPaM const&, SfxPoolItem
const&, SetAttrMode, SwRootFrame const*, SwTextAttr**)
(DocumentContentOperationsManager.cxx:3505)
==3296268== by 0x3E9F3F12: SwEditShell::SetAttrItem(SfxPoolItem const&,
SetAttrMode, bool) (edatmisc.cxx:145)
==3296268== by 0x3F6F860F: SwDocShell::ApplyStyles(rtl::OUString const&,
SfxStyleFamily, SwWrtShell*, unsigned short) (docst.cxx:1154)
==3296268== by 0x3F6F5F94: SwDocShell::ExecStyleSheet(SfxRequest&)
(docst.cxx:505)
==3296268== by 0x3F983994: SwBaseShell::Execute(SfxRequest&)
(basesh.cxx:1071)
==3296268== by 0x3F981744: SfxStubSwBaseShellExecute(SfxShell*,
SfxRequest&) (swslots.hxx:2180)
==3296268== Block was alloc'd at
==3296268== at 0x4840FF5: operator new(unsigned long)
(vg_replace_malloc.c:417)
==3296268== by 0x3E76988F: SwTextNode::GetOrCreateSwpHints()
(ndtxt.hxx:837)
==3296268== by 0x3E747D0F: (anonymous namespace)::lcl_InsAttr(SwDoc&,
SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*,
SwTextAttr**) (DocumentContentOperationsManager.cxx:1923)
==3296268== by 0x3E74449F:
sw::DocumentContentOperationsManager::InsertPoolItem(SwPaM const&, SfxPoolItem
const&, SetAttrMode, SwRootFrame const*, SwTextAttr**)
(DocumentContentOperationsManager.cxx:3505)
==3296268== by 0x3E9F3F12: SwEditShell::SetAttrItem(SfxPoolItem const&,
SetAttrMode, bool) (edatmisc.cxx:145)
==3296268== by 0x3F6F860F: SwDocShell::ApplyStyles(rtl::OUString const&,
SfxStyleFamily, SwWrtShell*, unsigned short) (docst.cxx:1154)
==3296268== by 0x3F6F5F94: SwDocShell::ExecStyleSheet(SfxRequest&)
(docst.cxx:505)
==3296268== by 0x3F983994: SwBaseShell::Execute(SfxRequest&)
(basesh.cxx:1071)
==3296268== by 0x3F981744: SfxStubSwBaseShellExecute(SfxShell*,
SfxRequest&) (swslots.hxx:2180)
Change-Id: Ic76b64d106dcba34087d4effa60b0b84447168d7
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123376
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/sw/source/core/doc/DocumentContentOperationsManager.cxx
b/sw/source/core/doc/DocumentContentOperationsManager.cxx
index f42131cc8d14..9a093450f992 100644
--- a/sw/source/core/doc/DocumentContentOperationsManager.cxx
+++ b/sw/source/core/doc/DocumentContentOperationsManager.cxx
@@ -1920,13 +1920,16 @@ namespace //local functions originally from docfmt.cxx
if (pCharSet && pCharSet->Count())
{
- SwpHints *pSwpHints = bCreateSwpHints ?
&pTNd->GetOrCreateSwpHints()
- : pTNd->GetpSwpHints();
- if( pSwpHints )
+ if (SwpHints *pSwpHints = bCreateSwpHints ?
&pTNd->GetOrCreateSwpHints()
+ : pTNd->GetpSwpHints())
+ {
pSwpHints->Register( &aRegH );
+ }
pTNd->SetAttr(*pCharSet, 0, pTNd->GetText().getLength(),
nFlags);
- if( pSwpHints )
+
+ // re-fetch as it may be deleted by SetAttr
+ if (SwpHints *pSwpHints = pTNd->GetpSwpHints())
pSwpHints->DeRegister();
}
}
