sd/source/ui/unoidl/unomodel.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 26d32a845913d7168b93f395358cb4b9d26713f5
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue Jul 1 20:36:18 2025 +0100
Commit: Michael Weghorn <m.wegh...@posteo.de>
CommitDate: Fri Jul 11 07:29:02 2025 +0200
use-after-free on deleted ViewShell
#0 0x00007eef974b992d in __dynamic_cast () from
/lib/x86_64-linux-gnu/libstdc++.so.6
#1 0x00007eef83ffb326 in SdXImpressDocument::GetViewShell
(this=this@entry=0x5511adc0)
at sd/source/ui/unoidl/unomodel.cxx:3848
#2 0x00007eef83ffb6dc in SdXImpressDocument::setClipboard
(this=0x5511adc0, xClipboard=...)
at sd/source/ui/unoidl/unomodel.cxx:4457
#3 0x00007eef9336a4f8 in (anonymous
namespace)::forceSetClipboardForCurrentView (pThis=<optimized out>)
at desktop/source/lib/init.cxx:1379
3848 DrawViewShell* pViewSh =
dynamic_cast<DrawViewShell*>(mpDocShell->GetViewShell());
(gdb) print mbDisposed
$1 = true
an earlier sanitizer trace is:
program/../program/libsdlo.so
sd::DrawDocShell::GetViewShell()
libreoffice/sd/source/ui/inc/DrawDocShell.hxx:109
program/../program/libsdlo.so
SdXImpressDocument::GetViewShell()
libreoffice/sd/source/ui/unoidl/unomodel.cxx:3105
program/../program/libsdlo.so
SdXImpressDocument::setClipboard(com::sun::star::uno::Reference<com::sun::star::datatransfer::clipboard::XClipboard>
const&)
libreoffice/sd/source/ui/unoidl/unomodel.cxx:3676
program/libmergedlo.so
(anonymous
namespace)::forceSetClipboardForCurrentView(_LibreOfficeKitDocument*)
libreoffice/desktop/source/lib/init.cxx:1324
program/libmergedlo.so
doc_createViewWithOptions(_LibreOfficeKitDocument*, char const*)
libreoffice/desktop/source/lib/init.cxx:6895
/usr/bin/coolforkit
lok::Document::createView(char const*)
libreoffice/include/LibreOfficeKit/LibreOfficeKit.hxx:549
/usr/bin/coolforkit
Document::load(std::shared_ptr<ChildSession> const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&)
kit/Kit.cpp:1912
/usr/bin/coolforkit
Document::onLoad(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&)
kit/Kit.cpp:1230
/usr/bin/coolforkit
ChildSession::loadDocument(StringVector const&)
kit/ChildSession.cpp:905
/usr/bin/coolforkit
ChildSession::_handleInput(char const*, int)
kit/ChildSession.cpp:297
/usr/bin/coolforkit
Session::handleMessage(std::vector<char, std::allocator<char> > const&)
common/Session.cpp:288
/usr/bin/coolforkit
Document::forwardToChild(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, std::vector<char,
std::allocator<char> > const&)
kit/Kit.cpp:2048
/usr/bin/coolforkit
Document::drainQueue()
kit/Kit.cpp:2271
/usr/bin/coolforkit
KitSocketPoll::drainQueue()
kit/Kit.cpp:2668
/usr/bin/coolforkit
KitSocketPoll::kitPoll(int)
kit/Kit.cpp:2747
/usr/bin/coolforkit
pollCallback(void*, int)
kit/Kit.cpp:2838
program/libmergedlo.so
SvpSalInstance::ImplYield(bool, bool)
libreoffice/vcl/headless/svpinst.cxx:430
program/libmergedlo.so
SvpSalInstance::DoYield(bool, bool)
libreoffice/vcl/headless/svpinst.cxx:471
program/libmergedlo.so
ImplYield(bool, bool)
libreoffice/vcl/source/app/svapp.cxx:396
program/libmergedlo.so
Application::Yield()
libreoffice/vcl/source/app/svapp.cxx:480
program/libmergedlo.so
Application::Execute()
libreoffice/vcl/source/app/svapp.cxx:374
program/libmergedlo.so
desktop::Desktop::Main()
libreoffice/desktop/source/app/app.cxx:1605
program/libmergedlo.so
ImplSVMain()
libreoffice/vcl/source/app/svmain.cxx:229
program/libmergedlo.so
soffice_main
libreoffice/desktop/source/app/sofficemain.cxx:94
program/libmergedlo.so
lo_runLoop(_LibreOfficeKit*, int (*)(void*, int), void (*)(void*),
void*)
libreoffice/desktop/source/lib/init.cxx:7735
/usr/bin/coolforkit
lok::Office::runLoop(int (*)(void*, int), void (*)(void*), void*)
libreoffice/include/LibreOfficeKit/LibreOfficeKit.hxx:1128
/usr/bin/coolforkit
lokit_main(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, bool, bool, bool, bool, bool, bool, unsigned
long)
kit/Kit.cpp:3495
/usr/bin/coolforkit
createLibreOfficeKit(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, bool, bool)
kit/ForKit.cpp:450
/usr/bin/coolforkit
forkLibreOfficeKit(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, bool)
kit/ForKit.cpp:500
/usr/bin/coolforkit
forkit_main(int, char**)
kit/ForKit.cpp:876
/usr/bin/coolforkit
main
kit/forkit-main.cpp:19
/lib64/libc.so.6
__libc_start_main
??:?
/usr/bin/coolforkit
_start
??:?
freed by thread T0 (kitbroker_011) here:
/usr/bin/coolforkit
operator delete(void*, unsigned long)
/home/collabora/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_new_delete.cpp:172
(discriminator 5)
program/libmergedlo.so
SfxViewFrame::ReleaseObjectShell_Impl()
libreoffice/sfx2/source/view/viewfrm.cxx:1167
program/libmergedlo.so
~SfxViewFrame
libreoffice/sfx2/source/view/viewfrm.cxx:1977
program/libmergedlo.so
SfxViewFrame::Close()
libreoffice/sfx2/source/view/viewfrm.cxx:1189
program/libmergedlo.so
SfxFrame::DoClose_Impl()
libreoffice/sfx2/source/view/frame.cxx:138
Change-Id: Iec746b4473a20ba9c6b5e338f64f9f2380e2db13
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187258
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Tested-by: Jenkins
(cherry picked from commit 5de2f6822a06a92216b65cf241116404733f88ca)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187273
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit f22f14aeb7f82cf3a7c3eb8b42f58fd99b3347e0)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187317
Reviewed-by: Ilmari Lauhakangas <ilmari.lauhakan...@libreoffice.org>
Reviewed-by: Michael Weghorn <m.wegh...@posteo.de>
Tested-by: Michael Weghorn <m.wegh...@posteo.de>
diff --git a/sd/source/ui/unoidl/unomodel.cxx b/sd/source/ui/unoidl/unomodel.cxx
index 532195433da4..fb13ca2ac236 100644
--- a/sd/source/ui/unoidl/unomodel.cxx
+++ b/sd/source/ui/unoidl/unomodel.cxx
@@ -4748,9 +4748,9 @@ void SAL_CALL SdXImpressDocument::dispose()
mxTransGradientTable = nullptr;
mxMarkerTable = nullptr;
mxDrawingPool = nullptr;
+ mpDocShell = nullptr;
}
-
SdDrawPagesAccess::SdDrawPagesAccess( SdXImpressDocument& rMyModel ) noexcept
: mpModel( &rMyModel)
{
