svl/source/items/IndexedStyleSheets.cxx | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
New commits:
commit 0e0cf37dde9112b8ccf1cf0e759bf3aadf78dd66
Author: Patrick Luby <guibmac...@gmail.com>
AuthorDate: Thu Jul 18 21:38:01 2024 -0400
Commit: Adolfo Jayme Barrientos <fit...@ubuntu.com>
CommitDate: Thu Jul 25 07:39:40 2024 +0200
tdf#161729 clear style sheets in same order as they were added
std::vector::clear() appears to delete elements in the
reverse order added. In the case of tdf#161729, a style
sheet's SfxItemSet can have a parent SfxItemSet and that
parent is the SfxItemSet for a style sheet added later.
Deleting from the end of the vector deletes a style sheet
and its SfxItemSet. If the now deleted SfxItemSet is a
parent SfxItemSet of a style sheet that was added earlier,
the style sheet added earlier will now have an SfxItemSet
with its parent set to an already deleted pointer. And so
a crash will occur when that earlier style sheet is deleted.
rxStyleSheet.clear();
Change-Id: I8ce7023fce8b01432cb3c9288a8f83e7a2f0f2d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/170707
Tested-by: Jenkins
Reviewed-by: Patrick Luby <guibomac...@gmail.com>
Reviewed-by: Noel Grandin <noel.gran...@collabora.co.uk>
(cherry picked from commit 926ed71244c20d5a96d0f20b7c4edfb9e645a667)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/170733
Reviewed-by: Adolfo Jayme Barrientos <fit...@ubuntu.com>
diff --git a/svl/source/items/IndexedStyleSheets.cxx
b/svl/source/items/IndexedStyleSheets.cxx
index 0db2f201f35f..5d2ddf8299f9 100644
--- a/svl/source/items/IndexedStyleSheets.cxx
+++ b/svl/source/items/IndexedStyleSheets.cxx
@@ -183,8 +183,21 @@ sal_Int32 IndexedStyleSheets::FindStyleSheetPosition(const
SfxStyleSheetBase& st
void
IndexedStyleSheets::Clear(StyleSheetDisposer& disposer)
{
- for (const auto& rxStyleSheet : mStyleSheets) {
+ for (auto& rxStyleSheet : mStyleSheets) {
disposer.Dispose(rxStyleSheet);
+
+ // tdf#161729 clear style sheets in same order as they were added
+ // std::vector::clear() appears to delete elements in the
+ // reverse order added. In the case of tdf#161729, a style
+ // sheet's SfxItemSet can have a parent SfxItemSet and that
+ // parent is the SfxItemSet for a style sheet added later.
+ // Deleting from the end of the vector deletes a style sheet
+ // and its SfxItemSet. If the now deleted SfxItemSet is a
+ // parent SfxItemSet of a style sheet that was added earlier,
+ // the style sheet added earlier will now have an SfxItemSet
+ // with its parent set to an already deleted pointer. And so
+ // a crash will occur when that earlier style sheet is deleted.
+ rxStyleSheet.clear();
}
mStyleSheets.clear();
mPositionsByName.clear();
