core.git: Branch 'libreoffice-24-8' - svl/source

Sat, 05 Apr 2025 10:24:44 -0700 

 svl/source/items/itemset.cxx |    2 ++
 1 file changed, 2 insertions(+)

New commits:
commit cc77efd66f7a2d2486df1bd7ddcb58fac4585159
Author:     Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Mar 19 13:01:27 2025 +0100
Commit:     Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Fri Apr 4 00:00:55 2025 +0200

    svl: fix SfxItemSet UBSan issue in test_tdf163325_toc_preview_crash
    
    SfxItemSet::ClearAllItemsImpl() decrements the refcount of items but
    does not actually remove the items from the set.
    
    This causes UBSan to report:
    
      make -C sw -r UITest_writer_tests5 
UITEST_TEST_NAME="tdf163325.tdf163325.test_tdf163325_toc_preview_crash"
    
      include/svl/itemset.hxx:178:16: runtime error: downcast of address 
0x60d000107030 which does not point to an object of type 'const SvxColorItem'
      0x60d000107030: note: object has invalid vptr
      00 00 00 00  21 05 80 45 00 00 00 00  00 00 00 00 03 00 be be  a7 14 00 
00 b8 be be be  ff ff ff ff
                   ^~~~~~~~~~~~~~~~~~~~~~~
                   invalid vptr
    
      0 SvxColorItem const& 
SfxItemSet::Get<SvxColorItem>(TypedWhichId<SvxColorItem>, bool) const 
/include/svl/itemset.hxx:178:16
      1 SwAttrSet::GetColor(bool) const /sw/inc/charatr.hxx:90:16
      2 SwFont::SwFont(SwAttrSet const*, IDocumentSettingAccess const*) 
/sw/source/core/txtnode/swfont.cxx:763:25
      3 SwTextFrame::EmptyHeight() const /sw/source/core/text/porrst.cxx:371:24
      4 SwTextFrame::FormatEmpty() /sw/source/core/text/porrst.cxx:423:22
      5 SwTextFrame::Format() /sw/source/core/text/frmform.cxx:2146:22
      6 SwContentFrame::MakeAll() /sw/source/core/layout/calcmove.cxx:1611:17
      7 SwFrame::PrepareMake() /sw/source/core/layout/calcmove.cxx:342:29
      8 SwFrame::Calc() const /sw/source/core/layout/trvlfrm.cxx:1849:37
      9 SwTextFrame::GetFormatted() /sw/source/core/text/txtfrm.cxx:3628:9
     10 SwTextFrame::GetCharRect() const /sw/source/core/text/frmcrsr.cxx:197:13
     11 SwCursorShell::UpdateCursor() /sw/source/core/crsr/crsrsh.cxx:2314:26
     12 SwCursorShell::EndAction() /sw/source/core/crsr/crsrsh.cxx:280:5
     13 SwEditShell::EndAllAction() /sw/source/core/edit/edws.cxx:102:25
     14 SwDocShell::LoadStyles_() /sw/source/uibase/app/docst.cxx:1689:26
     15 SwMultiTOXTabDialog::CreateExample_Hdl() 
/sw/source/ui/index/cntex.cxx:93:34
    
    This was fixed in master towards libreoffice-25-2 by commit
    290c8f6e048fedf63437e3fdf629555ac89dd3ad "ITEM: Change SfxItemSet to use
    unordered_set" but that is slightly inappropriate to backport.
    
    (regression from commit c1f3b34f871d2a6bb9ee7b912492be1164eec96f)
    
    Change-Id: I4fecb3e50af22f35d0db4bf6b5788ade8bb6677f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/183126
    Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
    Tested-by: Jenkins
    Reviewed-by: Armin Le Grand <armin.le.gr...@me.com>

diff --git a/svl/source/items/itemset.cxx b/svl/source/items/itemset.cxx
index 4b1207a697aa..4455a1cab880 100644
--- a/svl/source/items/itemset.cxx
+++ b/svl/source/items/itemset.cxx
@@ -1027,6 +1027,8 @@ sal_uInt16 SfxItemSet::ClearAllItemsImpl()
         }
 
         implCleanupItemEntry(rCandidate);
+
+        rCandidate = nullptr; // clear entry in itemset!
     }
 
     // remember count before resetting it, that is the retval

Reply via email to