core.git: Branch 'distro/collabora/co-25.04' - sw/qa sw/source

Mon, 03 Nov 2025 07:31:46 -0800 

 sw/qa/filter/md/data/table.odt |binary
 sw/qa/filter/md/md.cxx         |   14 ++++++++++++++
 sw/source/filter/md/wrtmd.cxx  |    5 +++--
 3 files changed, 17 insertions(+), 2 deletions(-)

New commits:
commit 47a292525ff70327acd28348e8d48d444b8d5c39
Author:     Caolán McNamara <[email protected]>
AuthorDate: Mon Nov 3 12:40:12 2025 +0000
Commit:     Caolán McNamara <[email protected]>
CommitDate: Mon Nov 3 16:31:18 2025 +0100

    null deref of SwOLENode
    
    seen on pasting as markdown from another writer document.
    
    The offending node is a SwNodeType::Table, not SwNodeType::Ole
    
     #0  0x00007fffefeb2a2a in 
std::__uniq_ptr_impl<svt::EmbeddedObjectRef_Impl, 
std::default_delete<svt::EmbeddedObjectRef_Impl> >::_M_ptr (this=0x1d0)
         at /usr/include/c++/15/bits/unique_ptr.h:193
     #1  0x00007fffefeb22fe in std::unique_ptr<svt::EmbeddedObjectRef_Impl, 
std::default_delete<svt::EmbeddedObjectRef_Impl> >::get (this=0x1d0)
         at /usr/include/c++/15/bits/unique_ptr.h:473
     #2  0x00007fffefeb0c70 in std::unique_ptr<svt::EmbeddedObjectRef_Impl, 
std::default_delete<svt::EmbeddedObjectRef_Impl> >::operator-> (this=0x1d0)
         at /usr/include/c++/15/bits/unique_ptr.h:466
     #3  0x00007fffefeaa9fe in svt::EmbeddedObjectRef::is (this=0x1d0) at 
core/svtools/source/misc/embedhlp.cxx:406
     #4  0x00007fff9ad2c6f7 in SwOLEObj::GetOleRef (this=0x1c0) at 
core/sw/source/core/ole/ndole.cxx:1048
     #5  0x00007fff9ad29112 in SwOLENode::GetGraphic (this=0x0) at 
core/sw/source/core/ole/ndole.cxx:316
     #6  0x00007fff9b533a2c in (anonymous namespace)::ApplyFlyFrameFormat 
(rFrameFormat=..., rWrt=..., rChange=...) at 
core/sw/source/filter/md/wrtmd.cxx:187
     #7  0x00007fff9b535f2c in (anonymous namespace)::OutFormattingChange 
(rWrt=..., positions=..., pos=0, current=...)
         at core/sw/source/filter/md/wrtmd.cxx:490
     #8  0x00007fff9b5380ae in (anonymous namespace)::OutMarkdown_SwTextNode 
(rWrt=..., rNode=..., bFirst=false) at core/sw/source/filter/md/wrtmd.cxx:827
     #9  0x00007fff9b53962f in SwMDWriter::Out_SwDoc (this=0xc5d5030, 
pPam=0xc5cc6a8) at core/sw/source/filter/md/wrtmd.cxx:1069
     #10 0x00007fff9b53931f in SwMDWriter::WriteStream (this=0xc5d5030) at 
core/sw/source/filter/md/wrtmd.cxx:1037
     #11 0x00007fff9b578252 in Writer::Write (this=0xc5d5030, rPaM=SwPaM = 
{...}, rStrm=..., pFName=0x0) at core/sw/source/filter/writer/writer.cxx:231
     #12 0x00007fff9b3b6958 in SwWriter::Write (this=0x7fffffffab50, 
rxWriter=..., pRealFileName=0x0) at core/sw/source/filter/basflt/shellio.cxx:871
     #13 0x00007fff9b74914e in SwTransferable::WriteObject (this=0xbeed890, 
rOStream=..., pObject=0xbf05ce0, nObjectType=128)
         at core/sw/source/uibase/dochdl/swdtflvr.cxx:835
     #14 0x00007fffed8d4d27 in TransferableHelper::SetObject (this=0xbeed890, 
pUserObject=0xbf05ce0, nUserObjectId=128, rFlavor=...)
         at core/vcl/source/treelist/transfer.cxx:912
    
    Change-Id: I336a443b33de688d8397dff934c02c6ecc079829
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193349
    Reviewed-by: Michael Stahl <[email protected]>
    Tested-by: Jenkins CollaboraOffice <[email protected]>

diff --git a/sw/qa/filter/md/data/table.odt b/sw/qa/filter/md/data/table.odt
new file mode 100644
index 000000000000..cd8a1c6a0268
Binary files /dev/null and b/sw/qa/filter/md/data/table.odt differ
diff --git a/sw/qa/filter/md/md.cxx b/sw/qa/filter/md/md.cxx
index ac3be4b87c29..a970a270cae4 100644
--- a/sw/qa/filter/md/md.cxx
+++ b/sw/qa/filter/md/md.cxx
@@ -61,6 +61,20 @@ public:
 };
 }
 
+CPPUNIT_TEST_FIXTURE(Test, testExportTableFrame)
+{
+    createSwDoc("table.odt");
+
+    // Without the fix in place, this test would have crashed here
+    save(mpFilter);
+
+    std::string aActual = TempFileToString();
+    std::string aExpected("Text" SAL_NEWLINE_STRING SAL_NEWLINE_STRING
+                          "![]()Text" SAL_NEWLINE_STRING);
+
+    CPPUNIT_ASSERT_EQUAL(aExpected, aActual);
+}
+
 CPPUNIT_TEST_FIXTURE(Test, testExportingBasicElements)
 {
     createSwDoc("basic-elements.fodt");
diff --git a/sw/source/filter/md/wrtmd.cxx b/sw/source/filter/md/wrtmd.cxx
index 8622a40c74cb..df423ad6a334 100644
--- a/sw/source/filter/md/wrtmd.cxx
+++ b/sw/source/filter/md/wrtmd.cxx
@@ -151,7 +151,8 @@ void ApplyFlyFrameFormat(const SwFlyFrameFormat& 
rFrameFormat, SwMDWriter& rWrt,
     SwNodeOffset nStart = rFlyContent.GetContentIdx()->GetIndex() + 1;
     Graphic aGraphic;
     OUString aGraphicURL;
-    if (rWrt.m_pDoc->GetNodes()[nStart]->GetNodeType() == SwNodeType::Grf)
+    SwNodeType eNodeType = rWrt.m_pDoc->GetNodes()[nStart]->GetNodeType();
+    if (eNodeType == SwNodeType::Grf)
     {
         SwGrfNode* pGrfNode = rWrt.m_pDoc->GetNodes()[nStart]->GetGrfNode();
         aGraphic = pGrfNode->GetGraphic();
@@ -171,7 +172,7 @@ void ApplyFlyFrameFormat(const SwFlyFrameFormat& 
rFrameFormat, SwMDWriter& rWrt,
             aGraphicURL = "data:" + aGraphicInBase64;
         }
     }
-    else
+    else if (eNodeType == SwNodeType::Ole)
     {
         SwOLENode* pOLENode = rWrt.m_pDoc->GetNodes()[nStart]->GetOLENode();
         assert(pOLENode->GetGraphic());

Reply via email to