sd/source/ui/unoidl/DrawController.cxx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
New commits: commit ecb65b032dc169cda9e5beed2d2a61ab47619bdb Author: Mike Kaganski <[email protected]> AuthorDate: Mon Sep 29 10:18:15 2025 +0200 Commit: Xisco Fauli <[email protected]> CommitDate: Mon Sep 29 12:53:25 2025 +0200 tdf#168599: don't create Any from a direct reference to an interface An overlook from commit 3cb0678a9cac9a681903b5a082d1c5dd5f25f665 (fix dodgy DrawController::fireChangeLayer code, 2025-03-05). This goes through this ctor: template <typename T> inline Any::Any( T const & value ) { ::uno_type_any_construct( this, const_cast<T *>(&value), ::cppu::getTypeFavourUnsigned(&value).getTypeLibType(), cpp_acquire ); } which gets a valid type for the value (typelib_TypeClass_INTERFACE), and then uses a raw pointer in uno_type_any_construct. This crashes (0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF) because _copyConstructAnyFromData assumes typelib_TypeClass_INTERFACE case to have a pointer to pointer (a pointer to css::uno::Reference, which is itseld a lone pointer), with this stack: sdlo.dll!com::sun::star::uno::cpp_acquire(void * pCppI) Line 47 cppu3.dll!cppu::_acquire(void * p, void(*)(void *) acquire) Line 70 cppu3.dll!cppu::_copyConstructAnyFromData(_uno_Any * pDestAny, void * pSource, _typelib_TypeDescriptionReference * pType, _typelib_TypeDescription * pTypeDescr, void(*)(void *) acquire, _uno_Mapping * mapping) Line 243 cppu3.dll!cppu::_copyConstructAny(_uno_Any * pDestAny, void * pSource, _typelib_TypeDescriptionReference * pType, _typelib_TypeDescription * pTypeDescr, void(*)(void *) acquire, _uno_Mapping * mapping) Line 284 cppu3.dll!uno_type_any_construct(_uno_Any * pDest, void * pSource, _typelib_TypeDescriptionReference * pType, void(*)(void *) acquire) Line 69 sdlo.dll!com::sun::star::uno::Any::Any<com::sun::star::drawing::XLayer>(const com::sun::star::drawing::XLayer & value) Line 68 sdlo.dll!sd::DrawController::fireChangeLayer(const com::sun::star::uno::Reference<com::sun::star::drawing::XLayer> & xNewLayer) Line 473 sdlo.dll!sd::DrawViewShell::SetActiveTabLayerIndex(int nIndex) Line 635 sdlo.dll!sd::FuPoor::SwitchLayer(long nOffset) Line 1060 sdlo.dll!sd::FuPoor::KeyInput(const KeyEvent & rKEvt) Line 493 sdlo.dll!sd::FuDraw::KeyInput(const KeyEvent & rKEvt) Line 432 sdlo.dll!sd::FuSelection::KeyInput(const KeyEvent & rKEvt) Line 1056 sdlo.dll!sd::ViewShell::KeyInput(const KeyEvent & rKEvt, sd::Window * pWin) Line 530 sdlo.dll!sd::DrawViewShell::KeyInput(const KeyEvent & rKEvt, sd::Window * pWin) Line 252 sdlo.dll!sd::Window::KeyInput(const KeyEvent & rKEvt) Line 226 vcllo.dll!ImplHandleKey(vcl::Window * pWindow, NotifyEventType nSVEvent, unsigned short nKeyCode, unsigned short nCharCode, unsigned short nRepeat, bool bForward) Line 1236 vcllo.dll!ImplWindowFrameProc(vcl::Window * _pWindow, SalEvent nEvent, const void * pEvent) Line 2742 vcllo.dll!SalFrame::CallCallback(SalEvent nEvent, const void * pEvent) Line 310 vclplug_winlo.dll!ImplHandleKeyMsg(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam, __int64 & rResult) Line 4011 vclplug_winlo.dll!SalFrameWndProc(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam, bool & rDef) Line 5925 vclplug_winlo.dll!SalFrameWndProcW(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 6226 user32.dll!UserCallWinProcCheckWow(struct _ACTIVATION_CONTEXT *,__int64 (*)(struct tagWND *,unsigned int,unsigned __int64,__int64),struct HWND__ *,enum _WM_VALUE,unsigned __int64,__int64,void *,int) user32.dll!CallWindowProcW() opengl32.dll!wglWndProc() user32.dll!UserCallWinProcCheckWow(struct _ACTIVATION_CONTEXT *,__int64 (*)(struct tagWND *,unsigned int,unsigned __int64,__int64),struct HWND__ *,enum _WM_VALUE,unsigned __int64,__int64,void *,int) user32.dll!DispatchMessageWorker() vclplug_winlo.dll!ImplSalDispatchMessage(const tagMSG * pMsg) Line 431 vclplug_winlo.dll!ImplSalYield(bool bWait, bool bHandleAllCurrentEvents) Line 500 vclplug_winlo.dll!WinSalInstance::DoYield(bool bWait, bool bHandleAllCurrentEvents) Line 537 vcllo.dll!ImplYield(bool i_bWait, bool i_bAllEvents) Line 389 vcllo.dll!Application::Yield() Line 492 vcllo.dll!Application::Execute() Line 365 sofficeapp.dll!desktop::Desktop::Main() Line 1682 vcllo.dll!ImplSVMain() Line 230 vcllo.dll!SVMain() Line 249 sofficeapp.dll!soffice_main() Line 122 soffice.bin!sal_main() Line 51 soffice.bin!main(int argc, char * * argv) Line 49 soffice.bin!invoke_main() Line 79 soffice.bin!__scrt_common_main_seh() Line 288 soffice.bin!__scrt_common_main() Line 331 soffice.bin!mainCRTStartup(void * __formal) Line 17 kernel32.dll!BaseThreadInitThunk() ntdll.dll!RtlUserThreadStart() Change-Id: Ib61823e74b260d262adbaa5d3d63232b599d3cac Reviewed-on: https://gerrit.libreoffice.org/c/core/+/191593 Reviewed-by: Mike Kaganski <[email protected]> Tested-by: Jenkins (cherry picked from commit 16a0b42a4f79a20a2aaf8dd443c55b81a8084351) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/191607 Reviewed-by: Xisco Fauli <[email protected]> diff --git a/sd/source/ui/unoidl/DrawController.cxx b/sd/source/ui/unoidl/DrawController.cxx index c3031a8f232c..43d5cce3e704 100644 --- a/sd/source/ui/unoidl/DrawController.cxx +++ b/sd/source/ui/unoidl/DrawController.cxx @@ -457,7 +457,7 @@ void DrawController::fireChangeLayer( const css::uno::Reference< css::drawing::X { sal_Int32 nHandle = PROPERTY_ACTIVE_LAYER; - Any aNewValue ( *xNewLayer); + Any aNewValue (xNewLayer); Any aOldValue ;
