[Libreoffice-commits] core.git: sd/inc sd/source

Fri, 04 Feb 2022 12:40:50 -0800 

 sd/inc/Outliner.hxx            |    2 +-
 sd/source/ui/view/Outliner.cxx |    3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

New commits:
commit 583185235389b55d6cfffac3067c0e1ccb2852b1
Author:     Justin Luth <justin_l...@sil.org>
AuthorDate: Wed Feb 2 11:00:07 2022 +0200
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Fri Feb 4 21:40:10 2022 +0100

    related tdf#145868 sd: Clone SvxSearchItem to avoid use after free
    
    I tested "if (mpSearchItem)" which passed, but then it
    crashed when trying to access (*mpSearchItem) == (*pSearchItem)
    because the mpSearchItem's DTOR had already been called
    prior to the if(mpSearchItem).
    
    Since mpSearchItem is never compared to another
    memory pointer, it is safe to assign it to a Clone.
    
    Steps to reproduce:
    1.) open Impress and search for something
    2.) change the search string to something else
    3.) search again.
    
    Note that there isn't currently any code that hits this.
    I discovered it trying to craft a fix for bug 145868.
    
    Change-Id: Idc5f5a3e812ed3e49631347c35c3f4b2d8bb4127
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129347
    Tested-by: Jenkins
    Tested-by: Caolán McNamara <caol...@redhat.com>
    Reviewed-by: Justin Luth <jl...@mail.com>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/sd/inc/Outliner.hxx b/sd/inc/Outliner.hxx
index 772040f7a610..4a7100db3bb1 100644
--- a/sd/inc/Outliner.hxx
+++ b/sd/inc/Outliner.hxx
@@ -316,7 +316,7 @@ private:
         search.  It is set every time the
         <member>SearchAndReplaceAll</member> method is called.
     */
-    const SvxSearchItem* mpSearchItem;
+    std::unique_ptr<const SvxSearchItem> mpSearchItem;
 
     /// The actual object iterator.
     ::sd::outliner::Iterator maObjectIterator;
diff --git a/sd/source/ui/view/Outliner.cxx b/sd/source/ui/view/Outliner.cxx
index 0f77f2070219..23353ba87c82 100644
--- a/sd/source/ui/view/Outliner.cxx
+++ b/sd/source/ui/view/Outliner.cxx
@@ -154,7 +154,6 @@ SdOutliner::SdOutliner( SdDrawDocument* pDoc, OutlinerMode 
nMode )
       meStartEditMode(EditMode::Page),
       mnStartPageIndex(sal_uInt16(-1)),
       mpStartEditedObject(nullptr),
-      mpSearchItem(nullptr),
       mbPrepareSpellingPending(true)
 {
     SetStyleSheetPool(static_cast<SfxStyleSheetPool*>( 
mpDrawDocument->GetStyleSheetPool() ));
@@ -464,7 +463,7 @@ bool SdOutliner::StartSearchAndReplace (const 
SvxSearchItem* pSearchItem)
     if ( ! bAbort)
     {
         meMode = SEARCH;
-        mpSearchItem = pSearchItem;
+        mpSearchItem = std::unique_ptr<SvxSearchItem>(pSearchItem->Clone());
 
         mbFoundObject = false;

Reply via email to