[Libreoffice-commits] core.git: filter/source

[Caolán McNamara (via logerrit)]

 filter/source/pdf/pdfdialog.cxx |    1 +
 1 file changed, 1 insertion(+)

New commits:
commit e4c611ddc731d6a2ca9c3de61a02d1d4b6eefa9b
Author:     Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Jun 9 12:51:22 2023 +0100
Commit:     Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Fri Jun 9 20:26:48 2023 +0200

    pdf export dialog can crash if async mode used
    
    dialogClosed can cause the owner of PDFDialog to drop it during the
    callback
    
    ==4057599==ERROR: AddressSanitizer: heap-use-after-free on address 
0x6130003cc890 at pc 0x7fecd4abe0f4 bp 0x7ffce7ef2d80 sp 0x7ffce7ef2d78
    READ of size 8 at 0x6130003cc890 thread T0
        #0 0x7fecd4abe0f3 in std::__shared_ptr<SfxTabDialogController, 
(__gnu_cxx::_Lock_policy)2>::operator bool() const 
/usr/bin/../lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/shared_ptr_base.h:1670:16
        #1 0x7fecd4abe0f3 in 
svt::OGenericUnoAsyncDialog<SfxTabDialogController>::destroyAsyncDialog() 
core/include/svtools/genericasyncunodialog.hxx:107:13
        #2 0x7fecd4abd362 in 
PDFDialog::runAsync(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener>
 const&)::$_0::operator()(int) const core/filter/source/pdf/pdfdialog.cxx:95:9
    
    0x6130003cc890 is located 272 bytes inside of 336-byte region 
[0x6130003cc780,0x6130003cc8d0)
    freed by thread T0 here:
        #0 0x4b7cfa in __interceptor_free 
(core/instdir/program/soffice.bin+0x4b7cfa) (BuildId: 
e1b47bbe1dcc1e4ed692b09b49fe3da8d206f4b1)
        #1 0x7fed09f540b2 in 
com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XAsynchronousExecutableDialog>::~Reference()
 core/include/com/sun/star/uno/Reference.hxx:114:22
        #2 0x7fed09f540b2 in ModelData_Impl::~ModelData_Impl() 
core/sfx2/source/doc/guisaveas.cxx:359:1
    
    previously allocated by thread T0 here:
        #0 0x4b7fa2 in malloc (core/instdir/program/soffice.bin+0x4b7fa2) 
(BuildId: e1b47bbe1dcc1e4ed692b09b49fe3da8d206f4b1)
        #1 0x7fecd4ab87cf in cppu::OWeakObject::operator new(unsigned long) 
core/include/cppuhelper/weak.hxx:89:18
        #2 0x7fecd4ab87cf in filter_PDFDialog_get_implementation 
core/filter/source/pdf/pdfdialog.cxx:170:26
        ...
        #9 0x7fed09f811a4 in 
SfxStoringHelper::GUIStoreModel(com::sun::star::uno::Reference<com::sun::star::frame::XModel>
 const&, std::basic_string_view<char16_t, std::char_traits<char16_t>>, 
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, bool, 
SignatureState, bool) core/sfx2/source/doc/guisaveas.cxx:1561:29
    
    Change-Id: I7ea28b9b4bb7c826f1c3c8ced7ea8217573f733b
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152793
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>

diff --git a/filter/source/pdf/pdfdialog.cxx b/filter/source/pdf/pdfdialog.cxx
index c036fc747b2a..c7dd241c2049 100644
--- a/filter/source/pdf/pdfdialog.cxx
+++ b/filter/source/pdf/pdfdialog.cxx
@@ -79,6 +79,7 @@ void PDFDialog::executedDialog( sal_Int16 nExecutionResult )
 void PDFDialog::runAsync(const css::uno::Reference< 
css::ui::dialogs::XDialogClosedListener >& xListener)
 {
     SfxTabDialogController::runAsync(m_xAsyncDialog, [this, 
xListener](sal_Int32 nResponse) {
+        rtl::Reference<PDFDialog> xThis(this); // keep alive for scope, 
dialogClosed can cause owner to drop this
         executedAsyncDialog( m_xAsyncDialog, nResponse );
         css::ui::dialogs::DialogClosedEvent aEvent;
         aEvent.DialogResult = nResponse;