core.git: Branch 'distro/collabora/co-25.04' - sw/source

Fri, 30 May 2025 04:50:05 -0700 

 sw/source/core/doc/DocumentRedlineManager.cxx |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit 4c22d0fb160bd34826202d9e3a1c667d104ab432
Author:     Miklos Vajna <vmik...@collabora.com>
AuthorDate: Fri May 30 13:15:03 2025 +0200
Commit:     Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Fri May 30 13:49:40 2025 +0200

    sw: fix crash in lcl_AcceptInnerDelete()
    
    CppunitTest_sw_core_doc's testDelThenFormat fails with sanitizers:
    
            READ of size 8 at 0x612000218968 thread T0
                #0 0x7fdfe2f5bd1f in SwPaM::GetDoc() const sw/inc/pam.hxx:290:38
                #1 0x7fdfe49bf477 in (anonymous 
namespace)::lcl_AcceptInnerDelete(SwRangeRedline&, SwRedlineTable&, unsigned 
long&, bool) sw/source/core/doc/DocumentRedlineManager.cxx:1027:32
            0x612000218968 is located 168 bytes inside of 272-byte region 
[0x6120002188c0,0x6120002189d0)
            freed by thread T0 here:
                #0 0x55826dc0454b in operator delete(void*, unsigned long) 
/home/abuild/rpmbuild/BUILD/llvm-15.0.7.src/build/../projects/compiler-rt/lib/asan/asan_new_delete.cpp:164:3
                #1 0x7fdfe44709bf in SwRedlineTable::DeleteAndDestroy(unsigned 
long) sw/source/core/doc/docredln.cxx:728:5
                #2 0x7fdfe49dd9ab in (anonymous 
namespace)::lcl_RejectRedline(SwRedlineTable&, unsigned long&, bool, SwPosition 
const*, SwPosition const*) sw/source/core/doc/DocumentRedlineManager.cxx:991:22
                #3 0x7fdfe49bf313 in (anonymous 
namespace)::lcl_AcceptInnerDelete(SwRangeRedline&, SwRedlineTable&, unsigned 
long&, bool) sw/source/core/doc/DocumentRedlineManager.cxx:1025:17
            SUMMARY: AddressSanitizer: heap-use-after-free 
/sw/inc/pam.hxx:290:38 in SwPaM::GetDoc() const
    
    Fetch the SwDoc pointer earlier to not interact with the deleted
    redline.
    
    Change-Id: I523ffbab647cdcd4acaf8f8068dccf3585573a9b
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/186039
    Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>

diff --git a/sw/source/core/doc/DocumentRedlineManager.cxx 
b/sw/source/core/doc/DocumentRedlineManager.cxx
index cde8434a6641..03e597162618 100644
--- a/sw/source/core/doc/DocumentRedlineManager.cxx
+++ b/sw/source/core/doc/DocumentRedlineManager.cxx
@@ -1021,10 +1021,10 @@ namespace
     {
         bool bRet = false;
 
+        SwDoc& rDoc = rRedline.GetDoc();
         SwPaM aPam(*rRedline.Start(), *rRedline.End());
         bRet |= lcl_RejectRedline(rRedlines, rRedlineIndex, bCallDelete);
         // Handles undo/redo itself.
-        SwDoc& rDoc = rRedline.GetDoc();
         rDoc.getIDocumentContentOperations().DeleteRange(aPam);
 
         return bRet;

Reply via email to