svx/source/unodraw/unoshape.cxx | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
New commits:
commit 5eb25f6a7ecb215f7bc81116cd930c1dec645e8d
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed May 18 18:25:07 2022 +0200
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu May 19 18:55:47 2022 +0200
svx: fix double-free if SvxShape of SwDrawVirtObj is disposed
First SvxShape::dispose() deletes it, then ~SwDrawFrameFormat() via
~SwDrawContact() calls SwDrawContact::RemoveAllVirtObjs() and deletes it
again.
Back in 2009, CWS dba32 (60698c8a619f219129dbeac7da1f962f3fa63f6a)
added this OSL_ENSURE, let's actually try to fix this now.
Change-Id: I5c391aa425aa75fb87cecccbf9e41c9f90196f9f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134609
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
diff --git a/svx/source/unodraw/unoshape.cxx b/svx/source/unodraw/unoshape.cxx
index 4d6431f51433..d68732208a2d 100644
--- a/svx/source/unodraw/unoshape.cxx
+++ b/svx/source/unodraw/unoshape.cxx
@@ -1273,10 +1273,6 @@ void SAL_CALL SvxShape::dispose()
if ( pObject->IsInserted() && pObject->getSdrPageFromSdrObject() )
{
- OSL_ENSURE( HasSdrObjectOwnership(), "SvxShape::dispose: is the below
code correct?" );
- // normally, we are allowed to free the SdrObject only if we have
its ownership.
- // Why isn't this checked here?
-
SdrPage* pPage = pObject->getSdrPageFromSdrObject();
// delete the SdrObject from the page
const size_t nCount = pPage->GetObjCount();
@@ -1285,7 +1281,10 @@ void SAL_CALL SvxShape::dispose()
if ( pPage->GetObj( nNum ) == pObject )
{
OSL_VERIFY( pPage->RemoveObject( nNum ) == pObject );
- bFreeSdrObject = true;
+ if (HasSdrObjectOwnership())
+ {
+ bFreeSdrObject = true;
+ }
break;
}
}
