starmath/source/cursor.cxx | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
New commits:
commit 382b82541a2e4d83197bd0b20fc5fc40bb4313e2
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Sep 15 11:30:54 2022 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Thu Sep 15 15:31:02 2022 +0200
cid#1500440 Use after free
this is the inline starmath editing where you can edit the formula
directly in the view window instead of the command window. Currently
requires experimental to be enabled.
reproduce by clicking in initially empty formula and enter a character.
In practice the deleted pos.pSelectedNode is not actually used-after-free
in SmCursor::FindPositionInLineList because it is not found by the
std::find of pLineList.
Change-Id: I57476a8eb073914099c5026dd33dc75b20288d52
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/140003
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/starmath/source/cursor.cxx b/starmath/source/cursor.cxx
index 52621d360c80..fc1e3c5ecb7b 100644
--- a/starmath/source/cursor.cxx
+++ b/starmath/source/cursor.cxx
@@ -303,6 +303,7 @@ void SmCursor::InsertNodes(std::unique_ptr<SmNodeList>
pNewNodes){
//Find top most of line that holds position
SmNode* pLine = FindTopMostNodeInLine(pos.pSelectedNode);
+ const bool bSelectedIsTopMost = pLine == pos.pSelectedNode;
//Find line parent and line index in parent
SmStructureNode* pLineParent = pLine->GetParent();
@@ -311,10 +312,11 @@ void SmCursor::InsertNodes(std::unique_ptr<SmNodeList>
pNewNodes){
//Convert line to list
std::unique_ptr<SmNodeList> pLineList(new SmNodeList);
- NodeToList(pLine, *pLineList);
+ NodeToList(pLine, *pLineList); // deletes pLine, potentially deleting
pos.pSelectedNode
//Find iterator for place to insert nodes
- SmNodeList::iterator it = FindPositionInLineList(pLineList.get(), pos);
+ SmNodeList::iterator it = bSelectedIsTopMost ? pLineList->begin()
+ :
FindPositionInLineList(pLineList.get(), pos);
//Insert all new nodes
SmNodeList::iterator newIt,
