sc/source/core/data/fillinfo.cxx | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
New commits: commit 35a74a00ee3b3f1b375c3353a873bc3e358258dd Author: Bayram Çiçek <[email protected]> AuthorDate: Tue Oct 28 16:53:49 2025 +0300 Commit: Bayram Çiçek <[email protected]> CommitDate: Wed Oct 29 16:36:23 2025 +0100 tdf#169115: sc: fix use-after-free bug in ScDocument::FillInfo backtrace: ==203082== Invalid read of size 8 ==203082== at 0x933730C: std::_Hashtable<unsigned short, std::pair<unsigned short const, SfxPoolItem const*>, std::allocator<std::pair<unsigned short const, SfxPoolItem const*> >, std::__detail::_Select1st, std::equal_to<unsigned short>, std::hash<unsigned short>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::size() const (hashtable.h:662) ==203082== by 0x933B57C: std::_Hashtable<unsigned short, std::pair<unsigned short const, SfxPoolItem const*>, std::allocator<std::pair<unsigned short const, SfxPoolItem const*> >, std::__detail::_Select1st, std::equal_to<unsigned short>, std::hash<unsigned short>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_locate(unsigned short const&) const (hashtable.h:2264) ==203082== by 0x9339895: std::_Hashtable<unsigned short, std::pair<unsigned short const, SfxPoolItem const*>, std::allocator<std::pair<unsigned short const, SfxPoolItem const*> >, std::__detail::_Select1st, std::equal_to<unsigned short>, std::hash<unsigned short>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::find(unsigned short const&) const (hashtable.h:1929) ==203082== by 0x93380C6: std::__cxx1998::unordered_map<unsigned short, SfxPoolItem const*, std::hash<unsigned short>, std::equal_to<unsigned short>, std::allocator<std::pair<unsigned short const, SfxPoolItem const*> > >::find(unsigned short const&) const (unordered_map.h:958) ==203082== by 0x93367A4: std::__debug::unordered_map<unsigned short, SfxPoolItem const*, std::hash<unsigned short>, std::equal_to<unsigned short>, std::allocator<std::pair<unsigned short const, SfxPoolItem const*> > >::find(unsigned short const&) const (unordered_map:635) ==203082== by 0x9329A7D: SfxItemSet::Get(unsigned short, bool) const (itemset.cxx:922) ==203082== by 0x22AB22AE: ScPatternAttr::GetItem(unsigned short) const (patattr.hxx:167) ==203082== by 0x22AB7610: ScMergeAttr const& ScPatternAttr::GetItem<ScMergeAttr>(TypedWhichId<ScMergeAttr>) const (patattr.hxx:170) ==203082== by 0x2305FEAE: lcl_GetMergeRange(short, int, unsigned long, ScDocument const*, RowInfo*, short, int, short, short&, int&, short&, int&) (fillinfo.cxx:110) ==203082== by 0x230628A1: ScDocument::FillInfo(ScTableInfo&, short, int, short, int, short, double, double, bool, bool, ScMarkData const*) (fillinfo.cxx:710) ==203082== by 0x24216D6F: ScPrintFunc::PrintArea(short, int, short, int, long, long, bool, bool, bool, bool) (printfun.cxx:1610) ==203082== by 0x2421B6FC: ScPrintFunc::PrintPage(long, short, int, short, int, bool, ScPreviewLocationData*) (printfun.cxx:2329) ==203082== by 0x2421D378: ScPrintFunc::DoPrint(MultiSelection const&, long, long, bool, ScPreviewLocationData*) (printfun.cxx:2741) ==203082== by 0x23F9ABB4: ScModelObj::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (docuno.cxx:2824) ==203082== by 0x2F7769C2: PDFExport::ExportSelection(vcl::pdf::PDFWriter&, com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, com::sun::star::uno::Any const&, StringRangeEnumerator const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) (pdfexport.cxx:185) ==203082== by 0x2F77C1AA: PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdfexport.cxx:1180) ==203082== by 0x2F793CBA: PDFFilter::implExport(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdffilter.cxx:182) ==203082== by 0x2F794634: PDFFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdffilter.cxx:247) ==203082== by 0x87819F0: SfxObjectShell::ExportTo(SfxMedium&) (objstor.cxx:2908) ==203082== by 0x877ADD8: SfxObjectShell::SaveTo_Impl(SfxMedium&, SfxItemSet const*) (objstor.cxx:1929) ==203082== by 0x8784F5F: SfxObjectShell::PreDoSaveAs_Impl(rtl::OUString const&, rtl::OUString const&, SfxItemSet const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (objstor.cxx:3421) ==203082== by 0x8783956: SfxObjectShell::CommonSaveAs_Impl(INetURLObject const&, rtl::OUString const&, SfxItemSet&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (objstor.cxx:3212) ==203082== by 0x8758B98: SfxObjectShell::APISaveAs_Impl(std::basic_string_view<char16_t, std::char_traits<char16_t> >, SfxItemSet&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (objserv.cxx:323) ==203082== by 0x87EC565: SfxBaseModel::impl_store(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, bool) (sfxbasemodel.cxx:3253) ==203082== by 0x87E313A: SfxBaseModel::storeToURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (sfxbasemodel.cxx:1834) ==203082== by 0x4A36155: desktop::DispatchWatcher::executeDispatchRequests(std::__debug::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool, desktop::DispatchRequestFlags*) (dispatchwatcher.cxx:719) ==203082== by 0x4A51E6E: desktop::RequestHandler::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&, bool) (officeipcthread.cxx:1316) ==203082== by 0x49F1B07: desktop::Desktop::OpenClients() (app.cxx:2221) ==203082== by 0x49F0158: desktop::Desktop::OpenClients_Impl(void*) (app.cxx:1981) ==203082== by 0x49EFF3E: desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) (app.cxx:1965) ==203082== by 0xDD827EE: Link<void*, void>::Call(void*) const (link.hxx:105) ==203082== by 0xDD7F4DC: ImplHandleUserEvent(ImplSVEvent*) (winproc.cxx:2312) ==203082== by 0xDD8181B: ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (winproc.cxx:2869) ==203082== by 0xE862B5D: SalFrame::CallCallback(SalEvent, void const*) const (salframe.hxx:310) ==203082== by 0xE8829B1: SvpSalInstance::ProcessEvent(SalUserEventList::SalUserEvent) (svpinst.cxx:291) ==203082== by 0xE2EBFC0: SalUserEventList::DispatchUserEvents(bool)::{lambda()#1}::operator()() const (salusereventlist.cxx:119) ==203082== by 0xE2EC299: SalUserEventList::DispatchUserEvents(bool) (salusereventlist.cxx:120) ==203082== by 0xE8831CA: SvpSalInstance::ImplYield(bool, bool) (svpinst.cxx:444) ==203082== by 0xE883611: SvpSalInstance::DoYield(bool, bool) (svpinst.cxx:523) ==203082== by 0xE3A347C: ImplYield(bool, bool) (svapp.cxx:389) ==203082== by 0xE3A4168: Application::Yield() (svapp.cxx:492) ==203082== by 0xE3A2E8B: Application::Execute() (svapp.cxx:364) ==203082== by 0x49EE737: desktop::Desktop::Main() (app.cxx:1681) ==203082== by 0xE3CC959: ImplSVMain() (svmain.cxx:230) ==203082== by 0xE3CCA1A: SVMain() (svmain.cxx:248) ==203082== by 0x4A5AEEC: soffice_main (sofficemain.cxx:122) ==203082== by 0x40009D0: sal_main (main.c:51) ==203082== by 0x40009B6: main (main.c:49) ==203082== Address 0x2c9fb388 is 120 bytes inside a block of size 224 free'd ==203082== at 0x48508DD: operator delete(void*, unsigned long) (vg_replace_malloc.c:1181) ==203082== by 0x231265C0: CellAttributeHelper::doUnregister(ScPatternAttr const&) (patattr.cxx:157) ==203082== by 0x231277BE: CellAttributeHolder::setScPatternAttr(ScPatternAttr const*, bool) (patattr.cxx:362) ==203082== by 0x22AB2499: ScAttrEntry::setScPatternAttr(ScPatternAttr const*, bool) (attarray.hxx:95) ==203082== by 0x22AA826B: ScAttrArray::SetPatternAreaImpl(int, int, CellAttributeHolder const&, ScEditDataArray*) (attarray.cxx:574) ==203082== by 0x22C0939A: ScAttrArray::SetPattern(int, CellAttributeHolder const&) (attarray.hxx:160) ==203082== by 0x22BEFFA4: ScColumn::ApplyAttr(int, SfxPoolItem const&) (column.cxx:565) ==203082== by 0x22C79299: ScColumn::SetNumberFormat(int, unsigned int) (column2.cxx:3301) ==203082== by 0x231EE6EA: ScTable::SetNumberFormat(short, int, unsigned int) (table2.cxx:2331) ==203082== by 0x22E4DCF0: ScDocument::SetNumberFormat(ScAddress const&, unsigned int) (document.cxx:3768) ==203082== by 0x230755FF: ScFormulaCell::InterpretTail(ScInterpreterContext&, ScFormulaCell::ScInterpretTailParameter) (formulacell.cxx:2156) ==203082== by 0x2307385F: ScFormulaCell::Interpret(int, int) (formulacell.cxx:1619) ==203082== by 0x22CCD0F7: ScFormulaCell::MaybeInterpret() (formulacell.hxx:470) ==203082== by 0x230776E9: ScFormulaCell::IsValue() (formulacell.cxx:2761) ==203082== by 0x22D60AEC: lcl_GetCellContent(ScRefCellValue const&, bool, double&, rtl::OUString&, ScDocument const&) (conditio.cxx:774) ==203082== by 0x22D6334B: ScConditionEntry::IsCellValid(ScRefCellValue const&, ScAddress const&) const (conditio.cxx:1273) ==203082== by 0x22D66225: ScConditionalFormat::GetData(ScRefCellValue const&, ScAddress const&) const (conditio.cxx:1897) ==203082== by 0x230608EA: (anonymous namespace)::handleConditionalFormat(ScConditionalFormatList&, o3tl::sorted_vector<unsigned int, std::less<unsigned int>, o3tl::find_unique> const&, ScCellInfo*, ScTableInfo*, ScStyleSheetPool*, ScAddress const&, bool&, bool&, bool) (fillinfo.cxx:293) ==203082== by 0x23061EB3: ScDocument::FillInfo(ScTableInfo&, short, int, short, int, short, double, double, bool, bool, ScMarkData const*) (fillinfo.cxx:564) ==203082== by 0x24216D6F: ScPrintFunc::PrintArea(short, int, short, int, long, long, bool, bool, bool, bool) (printfun.cxx:1610) ==203082== by 0x2421B6FC: ScPrintFunc::PrintPage(long, short, int, short, int, bool, ScPreviewLocationData*) (printfun.cxx:2329) ==203082== by 0x2421D378: ScPrintFunc::DoPrint(MultiSelection const&, long, long, bool, ScPreviewLocationData*) (printfun.cxx:2741) [...] Signed-off-by: Bayram Çiçek <[email protected]> Change-Id: I4dfd8fca4b799e8f0fae8563e7beaf781fb30d55 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193095 Reviewed-by: Noel Grandin <[email protected]> Tested-by: Jenkins (cherry picked from commit 1bf9bbea96a0fb508bb3dc917e31362fe2c14e18) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193144 Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/sc/source/core/data/fillinfo.cxx b/sc/source/core/data/fillinfo.cxx index ef5e3444001d..34da5ff9c10e 100644 --- a/sc/source/core/data/fillinfo.cxx +++ b/sc/source/core/data/fillinfo.cxx @@ -561,9 +561,17 @@ void ScDocument::FillInfo( if (bContainsCondFormat && pCondFormList) { - bAnyCondition |= handleConditionalFormat(*pCondFormList, rCondFormats, + bool bCondition = handleConditionalFormat(*pCondFormList, rCondFormats, pInfo, &rTabInfo, pStlPool, ScAddress(nCol, nCurRow, nTab), bHidden, bHideFormula, bTabProtect); + + bAnyCondition |= bCondition; + + // if there is a condition, then old pPatternAttr was deleted. + // Therefore, we need to refetch it. + if (bCondition && pThisAttrArr->Count()) + pInfo->pPatternAttr + = pThisAttrArr->mvData[nIndex].getScPatternAttr(); } if (bHidden || (bFormulaMode && bHideFormula && pInfo->maCell.getType() == CELLTYPE_FORMULA))
