sw/inc/doc.hxx | 2 +- sw/source/core/doc/doctxm.cxx | 14 +++++++++----- sw/source/core/text/itrform2.cxx | 6 +++++- sw/source/core/unocore/unoidx.cxx | 13 +++++++------ 4 files changed, 22 insertions(+), 13 deletions(-)
New commits: commit 389bbaad1d00974f87a7e99a962e7850ad4332f7 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Jan 2 16:22:59 2026 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Sat Jan 3 12:03:09 2026 +0100 crashtesting: UaF in SwTextFormatter::InsertPortion for soffice --headless --convert-to pdf tdf103059-2.odt ==2656459==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c994604b938 at pc 0x7b2929cd73cd bp 0x7ffc818cc110 sp 0x7ffc818cc108 READ of size 8 at 0x7c994604b938 thread T0 #0 0x7b2929cd73cc in SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const core-asan/sw/source/core/text/itrform2.cxx:3220 #1 0x7b2929e02267 in SwTextFormatter::NewExtraPortion(SwTextFormatInfo&) core-asan/sw/source/core/text/txtfld.cxx:285 #2 0x7b2929cccd9d in SwTextFormatter::NewPortion(SwTextFormatInfo&, std::optional<o3tl::strong_int<int, Tag_TextFrameIndex> >) core-asan/sw/source/core/text/itrform2.cxx:1886 #3 0x7b2929cbf0a3 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) core-asan/sw/source/core/text/itrform2.cxx:440 #4 0x7b2929ccec48 in SwTextFormatter::FormatLine(o3tl::strong_int<int, Tag_TextFrameIndex>) core-asan/sw/source/core/text/itrform2.cxx:2102 #5 0x7b2929c10fac in SwTextFrame::FormatLine(SwTextFormatter&, bool) core-asan/sw/source/core/text/frmform.cxx:1458 #6 0x7b2929c14223 in SwTextFrame::Format_(SwTextFormatter&, SwTextFormatInfo&, bool) core-asan/sw/source/core/text/frmform.cxx:1822 #7 0x7b2929e4755c in SwTestFormat::SwTestFormat(SwTextFrame*, SwFrame const*, long) core-asan/sw/source/core/text/txtfrm.cxx:3453 #8 0x7b2929e47e1d in SwTextFrame::TestFormat(SwFrame const*, long&, bool&) core-asan/sw/source/core/text/txtfrm.cxx:3483 #9 0x7b29297645a7 in SwContentFrame::WouldFit_(long, SwLayoutFrame*, bool, bool) core-asan/sw/source/core/layout/calcmove.cxx:2192 #10 0x7b2929756a65 in SwContentFrame::ShouldBwdMoved(SwLayoutFrame*, bool&) core-asan/sw/source/core/layout/calcmove.cxx:199 #11 0x7b292979f8bd in SwFlowFrame::MoveBwd(bool&) core-asan/sw/source/core/layout/flowfrm.cxx:2669 #12 0x7b2929761592 in SwContentFrame::MakeAll(OutputDevice*) core-asan/sw/source/core/layout/calcmove.cxx:1654 #13 0x7b29297578e2 in SwFrame::PrepareMake(OutputDevice*) core-asan/sw/source/core/layout/calcmove.cxx:396 #14 0x7b2929a082af in SwFrame::Calc(OutputDevice*) const core-asan/sw/source/core/layout/trvlfrm.cxx:1858 #15 0x7b29298c2bd0 in lcl_FormatContentOfLayoutFrame core-asan/sw/source/core/layout/objectformattertxtfrm.cxx:688 #16 0x7b29298c2b26 in lcl_FormatContentOfLayoutFrame core-asan/sw/source/core/layout/objectformattertxtfrm.cxx:684 #17 0x7b29298c2b26 in lcl_FormatContentOfLayoutFrame core-asan/sw/source/core/layout/objectformattertxtfrm.cxx:684 #18 0x7b29298c33a4 in SwObjectFormatterTextFrame::FormatAnchorFrameAndItsPrevs(SwTextFrame&) core-asan/sw/source/core/layout/objectformattertxtfrm.cxx:774 #19 0x7b29297c06dd in SwFlyAtContentFrame::MakeAll(OutputDevice*) core-asan/sw/source/core/layout/flycnt.cxx:440 #20 0x7b29297578e2 in SwFrame::PrepareMake(OutputDevice*) core-asan/sw/source/core/layout/calcmove.cxx:396 #21 0x7b2929a082af in SwFrame::Calc(OutputDevice*) const core-asan/sw/source/core/layout/trvlfrm.cxx:1858 #22 0x7b29297bc028 in SwFlyFrame::Calc(OutputDevice*) const core-asan/sw/source/core/layout/fly.cxx:3436 #23 0x7b292984693b in SwLayAction::FormatLayoutFly(SwFlyFrame*) core-asan/sw/source/core/layout/layact.cxx:1553 #24 0x7b29298ba5f3 in SwObjectFormatter::FormatObj_(SwAnchoredObject&) core-asan/sw/source/core/layout/objectformatter.cxx:287 #25 0x7b29298c05fb in SwObjectFormatterTextFrame::DoFormatObj(SwAnchoredObject&, bool) core-asan/sw/source/core/layout/objectformattertxtfrm.cxx:132 #26 0x7b29298ba207 in SwObjectFormatter::FormatObj(SwAnchoredObject&, SwFrame*, SwPageFrame const*, SwLayAction*) core-asan/sw/source/core/layout/objectformatter.cxx:191 #27 0x7b29297b0cc5 in CalcContent(SwLayoutFrame*, bool) core-asan/sw/source/core/layout/fly.cxx:1852 #28 0x7b2929a2c3f0 in SwLayoutFrame::FormatWidthCols(SwBorderAttrs const&, long, long) core-asan/sw/source/core/layout/wsfrm.cxx:4024 #29 0x7b292998a2b2 in SwSectionFrame::Format(OutputDevice*, SwBorderAttrs const*) core-asan/sw/source/core/layout/sectfrm.cxx:1563 #30 0x7b292975d1b7 in SwLayoutFrame::MakeAll(OutputDevice*) core-asan/sw/source/core/layout/calcmove.cxx:1073 #31 0x7b292998618a in SwSectionFrame::MakeAll(OutputDevice*) core-asan/sw/source/core/layout/sectfrm.cxx:932 #32 0x7b29297578e2 in SwFrame::PrepareMake(OutputDevice*) core-asan/sw/source/core/layout/calcmove.cxx:396 #33 0x7b2929a082af in SwFrame::Calc(OutputDevice*) const core-asan/sw/source/core/layout/trvlfrm.cxx:1858 #34 0x7b2929844913 in SwLayAction::FormatLayout(OutputDevice*, SwLayoutFrame*, bool) core-asan/sw/source/core/layout/layact.cxx:1315 #35 0x7b292984617e in SwLayAction::FormatLayout(OutputDevice*, SwLayoutFrame*, bool) core-asan/sw/source/core/layout/layact.cxx:1511 #36 0x7b292984617e in SwLayAction::FormatLayout(OutputDevice*, SwLayoutFrame*, bool) core-asan/sw/source/core/layout/layact.cxx:1511 #37 0x7b292983f951 in SwLayAction::InternalAction(OutputDevice*) core-asan/sw/source/core/layout/layact.cxx:629 #38 0x7b292983d4b7 in SwLayAction::Action(OutputDevice*) core-asan/sw/source/core/layout/layact.cxx:404 #39 0x7b292a7e2aad in SwViewShell::CalcLayout() core-asan/sw/source/core/view/viewsh.cxx:1248 #40 0x7b2929504fd1 in SwEditShell::CalcLayout() core-asan/sw/source/core/edit/edws.cxx:89 #41 0x7b292b84944f in SwXTextDocument::getRendererCount(com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) core-asan/sw/source/uibase/uno/unotxdoc.cxx:2766 #42 0x7b2918f8118b in PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/../program/libpdffilterlo.so+0x16a18b) (BuildId: 3e1e7d533e1cda134f16230425f07ece7cda2894) #43 0x7b2918fb7781 in PDFFilter::implExport(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/../program/libpdffilterlo.so+0x1a0781) (BuildId: 3e1e7d533e1cda134f16230425f07ece7cda2894) #44 0x7b2918fb8c26 in PDFFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/../program/libpdffilterlo.so+0x1a1c26) (BuildId: 3e1e7d533e1cda134f16230425f07ece7cda2894) #45 0x7f2966849fa0 in SfxObjectShell::ExportTo(SfxMedium&) (core-asan/instdir/program/libsfxlo.so+0x2649fa0) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #46 0x7f296683c239 in SfxObjectShell::SaveTo_Impl(SfxMedium&, SfxItemSet const*) (core-asan/instdir/program/libsfxlo.so+0x263c239) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #47 0x7f2966851353 in SfxObjectShell::PreDoSaveAs_Impl(rtl::OUString const&, rtl::OUString const&, SfxItemSet const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/libsfxlo.so+0x2651353) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #48 0x7f296684e6e2 in SfxObjectShell::CommonSaveAs_Impl(INetURLObject const&, rtl::OUString const&, SfxItemSet&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/libsfxlo.so+0x264e6e2) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #49 0x7f29667f24ab in SfxObjectShell::APISaveAs_Impl(std::basic_string_view<char16_t, std::char_traits<char16_t> >, SfxItemSet&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/libsfxlo.so+0x25f24ab) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #50 0x7f29669353f9 in SfxBaseModel::impl_store(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, bool) (core-asan/instdir/program/libsfxlo.so+0x27353f9) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #51 0x7f29669237ad in SfxBaseModel::storeToURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (core-asan/instdir/program/libsfxlo.so+0x27237ad) (BuildId: f20a99320ed1b1e19cb532dd5771162fe9df25d6) #52 0x7f296e59ea3d in desktop::DispatchWatcher::executeDispatchRequests(std::__debug::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool, desktop::DispatchRequestFlags*) (core-asan/instdir/program/libsofficeapp.so+0x39ea3d) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #53 0x7f296e5d9fae in desktop::RequestHandler::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&, bool) (core-asan/instdir/program/libsofficeapp.so+0x3d9fae) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #54 0x7f296e503193 in desktop::Desktop::OpenClients() (core-asan/instdir/program/libsofficeapp.so+0x303193) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #55 0x7f296e50005c in desktop::Desktop::OpenClients_Impl(void*) (core-asan/instdir/program/libsofficeapp.so+0x30005c) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #56 0x7f296e4ffc16 in desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) (core-asan/instdir/program/libsofficeapp.so+0x2ffc16) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #57 0x7f29552e3410 in Link<void*, void>::Call(void*) const (core-asan/instdir/program/libvcllo.so+0x42e3410) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #58 0x7f29552db964 in ImplHandleUserEvent(ImplSVEvent*) (core-asan/instdir/program/libvcllo.so+0x42db964) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #59 0x7f29552e0e3b in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (core-asan/instdir/program/libvcllo.so+0x42e0e3b) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #60 0x7f2956b44430 in SalFrame::CallCallback(SalEvent, void const*) const (core-asan/instdir/program/libvcllo.so+0x5b44430) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #61 0x7f2956b8d114 in SvpSalInstance::ProcessEvent(SalUserEventList::SalUserEvent) (core-asan/instdir/program/libvcllo.so+0x5b8d114) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #62 0x7f2955efea9f in SalUserEventList::DispatchUserEvents(bool)::{lambda()#1}::operator()() const (core-asan/instdir/program/libvcllo.so+0x4efea9f) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #63 0x7f2955eff104 in SalUserEventList::DispatchUserEvents(bool) (core-asan/instdir/program/libvcllo.so+0x4eff104) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #64 0x7f2956b8e540 in SvpSalInstance::ImplYield(bool, bool) (core-asan/instdir/program/libvcllo.so+0x5b8e540) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #65 0x7f2956b8edd2 in SvpSalInstance::DoYield(bool, bool) (core-asan/instdir/program/libvcllo.so+0x5b8edd2) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #66 0x7f2956096112 in ImplYield(bool, bool) (core-asan/instdir/program/libvcllo.so+0x5096112) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #67 0x7f2956097f83 in Application::Yield() (core-asan/instdir/program/libvcllo.so+0x5097f83) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #68 0x7f29560953b0 in Application::Execute() (core-asan/instdir/program/libvcllo.so+0x50953b0) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #69 0x7f296e4fc9e9 in desktop::Desktop::Main() (core-asan/instdir/program/libsofficeapp.so+0x2fc9e9) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #70 0x7f29560eb3c7 in ImplSVMain() (core-asan/instdir/program/libvcllo.so+0x50eb3c7) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #71 0x7f29560eb590 in SVMain() (core-asan/instdir/program/libvcllo.so+0x50eb590) (BuildId: 3cd155f3c9851c1c62b4d2b1959b9b1e4664c2fb) #72 0x7f296e5ee383 in soffice_main (core-asan/instdir/program/libsofficeapp.so+0x3ee383) (BuildId: 0d1c41096bed89bed335fa78947804c0924ce8ea) #73 0x000000201cc6 in sal_main (core-asan/instdir/program/soffice.bin+0x201cc6) (BuildId: 1edea05beb4bcc822dadbcc6f2b2a28fa5ad215b) #74 0x000000201cac in main (core-asan/instdir/program/soffice.bin+0x201cac) (BuildId: 1edea05beb4bcc822dadbcc6f2b2a28fa5ad215b) #75 0x7f296e011574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #76 0x7f296e011627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #77 0x000000201b64 in _start (core-asan/instdir/program/soffice.bin+0x201b64) (BuildId: 1edea05beb4bcc822dadbcc6f2b2a28fa5ad215b) 0x7c994604b938 is located 56 bytes inside of 696-byte region [0x7c994604b900,0x7c994604bbb8) freed by thread T0 here: #0 0x7f296eae899b in operator delete(void*, unsigned long) (/lib64/libasan.so.8+0xe899b) (BuildId: 0adabddcb77130fc2ea3840d060eb4e8a9ae0c85) #1 0x7b2929df5401 in std::__new_allocator<std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/15/bits/new_allocator.h:172 #2 0x7b2929df4edb in std::allocator<std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/15/bits/allocator.h:215 #3 0x7b2929df4edb in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/15/bits/alloc_traits.h:649 #4 0x7b2929df4edb in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/15/bits/allocated_ptr.h:74 #5 0x7b2929df5647 in std::_Sp_counted_ptr_inplace<SwParaPortion, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/15/bits/shared_ptr_base.h:625 #6 0x7b29283b09bd in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/15/bits/shared_ptr_base.h:346 #7 0x7b29283b4dd1 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/15/bits/shared_ptr_base.h:1069 #8 0x7b2929c05619 in std::__shared_ptr<SwParaPortion, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/15/bits/shared_ptr_base.h:1531 #9 0x7b2929df424e in std::__shared_ptr<SwParaPortion, (__gnu_cxx::_Lock_policy)2>::reset() /usr/include/c++/15/bits/shared_ptr_base.h:1649 #10 0x7b2929df3f4f in SwTextFrame::ClearPara() core-asan/sw/source/core/text/txtcache.cxx:41 #11 0x7b2929e2d129 in SwTextFrame::Init() core-asan/sw/source/core/text/txtfrm.cxx:754 #12 0x7b2929e45d75 in SwTextFrame::Prepare(PrepareHint, void const*, bool) core-asan/sw/source/core/text/txtfrm.cxx:3358 #13 0x7b29297e0987 in SwFlyInContentFrame::NotifyBackground(SwPageFrame*, SwRect const&, PrepareHint) core-asan/sw/source/core/layout/flyincnt.cxx:230 #14 0x7b2929805046 in Notify(SwFlyFrame*, SwPageFrame*, SwRect const&, SwRect const*) core-asan/sw/source/core/layout/frmtool.cxx:3301 #15 0x7b29297f0a5a in SwFlyNotify::ImplDestroy() core-asan/sw/source/core/layout/frmtool.cxx:696 #16 0x7b29297f1083 in SwFlyNotify::~SwFlyNotify() core-asan/sw/source/core/layout/frmtool.cxx:798 #17 0x7b29297e11f0 in SwFlyInContentFrame::MakeAll(OutputDevice*) core-asan/sw/source/core/layout/flyincnt.cxx:316 #18 0x7b29297578e2 in SwFrame::PrepareMake(OutputDevice*) core-asan/sw/source/core/layout/calcmove.cxx:396 #19 0x7b2929a082af in SwFrame::Calc(OutputDevice*) const core-asan/sw/source/core/layout/trvlfrm.cxx:1858 #20 0x7b29297bc028 in SwFlyFrame::Calc(OutputDevice*) const core-asan/sw/source/core/layout/fly.cxx:3436 #21 0x7b29297e09cf in SwFlyInContentFrame::GetRelPos() const core-asan/sw/source/core/layout/flyincnt.cxx:235 #22 0x7b2929cd7309 in SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const core-asan/sw/source/core/text/itrform2.cxx:3213 #23 0x7b2929e02267 in SwTextFormatter::NewExtraPortion(SwTextFormatInfo&) core-asan/sw/source/core/text/txtfld.cxx:285 #24 0x7b2929cccd9d in SwTextFormatter::NewPortion(SwTextFormatInfo&, std::optional<o3tl::strong_int<int, Tag_TextFrameIndex> >) core-asan/sw/source/core/text/itrform2.cxx:1886 #25 0x7b2929cbf0a3 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) core-asan/sw/source/core/text/itrform2.cxx:440 #26 0x7b2929ccec48 in SwTextFormatter::FormatLine(o3tl::strong_int<int, Tag_TextFrameIndex>) core-asan/sw/source/core/text/itrform2.cxx:2102 #27 0x7b2929c10fac in SwTextFrame::FormatLine(SwTextFormatter&, bool) core-asan/sw/source/core/text/frmform.cxx:1458 #28 0x7b2929c14223 in SwTextFrame::Format_(SwTextFormatter&, SwTextFormatInfo&, bool) core-asan/sw/source/core/text/frmform.cxx:1822 #29 0x7b2929e4755c in SwTestFormat::SwTestFormat(SwTextFrame*, SwFrame const*, long) core-asan/sw/source/core/text/txtfrm.cxx:3453 #30 0x7b2929e47e1d in SwTextFrame::TestFormat(SwFrame const*, long&, bool&) core-asan/sw/source/core/text/txtfrm.cxx:3483 #31 0x7b29297645a7 in SwContentFrame::WouldFit_(long, SwLayoutFrame*, bool, bool) core-asan/sw/source/core/layout/calcmove.cxx:2192 Change-Id: I291348ddbaaf0e9e8255e2fca5842dc2d2bfe733 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/196426 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Jenkins diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx index dd55a9213413..15984f1b4c0b 100644 --- a/sw/source/core/text/itrform2.cxx +++ b/sw/source/core/text/itrform2.cxx @@ -3208,9 +3208,13 @@ SwFlyCntPortion *SwTextFormatter::NewFlyCntPortion( SwTextFormatInfo &rInf, pFly->GetRefPoint().Y() ); if ( bUseFlyAscent ) - nAscent = std::abs( int( bTextFrameVertical ? + { + // Lock m_pFrame to avoid m_pCurr getting deleted + TextFrameLockGuard aGuard(m_pFrame); + nAscent = std::abs( int( bTextFrameVertical ? pFly->GetRelPos().X() : pFly->GetRelPos().Y() ) ); + } // Check if be prefer to use the ascent of the last portion: if ( IsQuick() || commit 19924e554284fed8993239c77597d641fd6bd934 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Jan 2 20:31:22 2026 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Sat Jan 3 12:03:00 2026 +0100 crashtesting: assert on loading docx converted from forum-mso-de-134677.doc #21 0x00007f64a908b9ca in SwDoc::GetTOXBaseAttrSet(SwTOXBase const&) (rTOXBase=...) at core/sw/source/core/doc/doctxm.cxx:496 #22 0x00007f64a95deabc in SwXDocumentIndex::getPropertyValue(rtl::OUString const&) (this=0x7f648c268590, rPropertyName="TextColumns") at core/sw/source/core/unocore/unoidx.cxx:1198 #23 0x00007f6498d3fb5d in writerfilter::dmapper::DomainMapper_Impl::handleIndex(tools::SvRef<writerfilter::dmapper::FieldContext> const&, rtl::OUString const&) (this=this@entry=0x7f648c00ede0, pContext=..., sTOCServiceName="com.sun.star.text.DocumentIndex") at core/sw/source/writerfilter/dmapper/DomainMapper_Impl.cxx:7833 Change-Id: I81e9eee18b7acd5d8eddeaf16c6c0800deec7300 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/196434 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> diff --git a/sw/inc/doc.hxx b/sw/inc/doc.hxx index aaaccc335651..07cc168fad7f 100644 --- a/sw/inc/doc.hxx +++ b/sw/inc/doc.hxx @@ -957,7 +957,7 @@ public: const SwTOXBase& rTOX, const SfxItemSet* pSet ); SW_DLLPUBLIC static SwTOXBase* GetCurTOX( const SwPosition& rPos ); - static const SwAttrSet& GetTOXBaseAttrSet(const SwTOXBase& rTOX); + static const SwAttrSet* GetTOXBaseAttrSet(const SwTOXBase& rTOX); bool DeleteTOX( const SwTOXBase& rTOXBase, bool bDelNodes ); OUString GetUniqueTOXBaseName( const SwTOXType& rType, diff --git a/sw/source/core/doc/doctxm.cxx b/sw/source/core/doc/doctxm.cxx index 1c050d30f2ea..ee99815fa7ac 100644 --- a/sw/source/core/doc/doctxm.cxx +++ b/sw/source/core/doc/doctxm.cxx @@ -491,13 +491,17 @@ SwTOXBase* SwDoc::GetCurTOX( const SwPosition& rPos ) return nullptr; } -const SwAttrSet& SwDoc::GetTOXBaseAttrSet(const SwTOXBase& rTOXBase) +const SwAttrSet* SwDoc::GetTOXBaseAttrSet(const SwTOXBase& rTOXBase) { - assert( dynamic_cast<const SwTOXBaseSection*>( &rTOXBase) && "no TOXBaseSection!" ); - const SwTOXBaseSection& rTOXSect = static_cast<const SwTOXBaseSection&>(rTOXBase); - SwSectionFormat const * pFormat = rTOXSect.GetFormat(); + const SwTOXBaseSection* pTOXSect = dynamic_cast<const SwTOXBaseSection*>(&rTOXBase); + if (!pTOXSect) + { + SAL_WARN("sw", "TOXBase is not a SwTOXBaseSection"); + return nullptr; + } + SwSectionFormat const * pFormat = pTOXSect->GetFormat(); assert(pFormat && "invalid TOXBaseSection!"); - return pFormat->GetAttrSet(); + return &pFormat->GetAttrSet(); } const SwTOXBase* SwDoc::GetDefaultTOXBase( TOXTypes eTyp, bool bCreate ) diff --git a/sw/source/core/unocore/unoidx.cxx b/sw/source/core/unocore/unoidx.cxx index 07b58d2030f7..7e83ece1f61c 100644 --- a/sw/source/core/unocore/unoidx.cxx +++ b/sw/source/core/unocore/unoidx.cxx @@ -828,9 +828,9 @@ SwXDocumentIndex::setPropertyValue( //this is for items only if (WID_PRIMARY_KEY > pEntry->nWID) { - const SwAttrSet& rSet = + const SwAttrSet* pSet = SwDoc::GetTOXBaseAttrSet(rTOXBase); - SfxItemSet aAttrSet(rSet); + SfxItemSet aAttrSet(*pSet); m_pImpl->m_rPropSet.setPropertyValue( rPropertyName, rValue, aAttrSet); @@ -1195,10 +1195,11 @@ SwXDocumentIndex::getPropertyValue(const OUString& rPropertyName) //this is for items only if(WID_PRIMARY_KEY > pEntry->nWID) { - const SwAttrSet& rSet = - SwDoc::GetTOXBaseAttrSet(*pTOXBase); - aRet = m_pImpl->m_rPropSet.getPropertyValue( - rPropertyName, rSet); + if (const SwAttrSet* pSet = SwDoc::GetTOXBaseAttrSet(*pTOXBase)) + { + aRet = m_pImpl->m_rPropSet.getPropertyValue( + rPropertyName, *pSet); + } } } }
