chart2/source/controller/dialogs/TitleDialogData.cxx | 3 + chart2/source/controller/main/ChartController.cxx | 5 + chart2/source/controller/main/ChartController_Insert.cxx | 7 +- chart2/source/tools/ControllerLockGuard.cxx | 6 +- chart2/source/tools/TitleHelper.cxx | 4 + cui/source/dialogs/hlmarkwn.cxx | 5 + instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt | 2 instsetoo_native/inc_openoffice/windows/msi_templates/DrLocato.idt | 2 instsetoo_native/inc_openoffice/windows/msi_templates/Signatur.idt | 2 sc/source/ui/inc/SparklineRenderer.hxx | 19 +++++-- sc/source/ui/view/formatsh.cxx | 8 ++- scp2/source/ooo/vc_redist.scp | 6 +- sd/source/ui/sidebar/MasterPagesSelector.cxx | 3 - svx/source/dialog/cuicharmap.cxx | 12 +--- sw/source/core/layout/findfrm.cxx | 5 + sw/source/core/txtnode/fntcache.cxx | 8 +-- sw/source/core/txtnode/justify.cxx | 3 + sw/source/uibase/uno/unotxdoc.cxx | 26 ++++++++++ sw/source/writerfilter/dmapper/PropertyMap.cxx | 8 +-- 19 files changed, 101 insertions(+), 33 deletions(-)
New commits: commit c1e509479b5e094fe9e5f4a8d2ce91b6d404271a Author: Andras Timar <[email protected]> AuthorDate: Tue Mar 3 11:16:28 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:40:50 2026 +0100 MSI: check VC++ runtime file version before installing merge modules Replace the registry-based VC runtime detection with a proper file version check using the MSI Signature + DrLocator tables. This looks for msvcp140.dll with MinVersion 14.29.30133.0 (VS2019 Update 11+) in both System64Folder (x64) and SystemFolder/SysWOW64 (x86), so each merge module is only installed when a sufficiently recent runtime is not already present on the system. The x86 merge module is needed because the x64 MSI ships 32-bit shell extension DLLs (shlxthdl.dll, ooofilt.dll, propertyhdl.dll). Change-Id: I844d0d4afac5bf46b40a5de6649e80128dce9a86 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200829 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Mike Kaganski <[email protected]> diff --git a/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt b/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt index 83f9b5da61c3..531bb2195482 100644 --- a/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt +++ b/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt @@ -2,4 +2,5 @@ Property Signature_ s72 s72 AppSearch Property Signature_ WINMAJORVER WinMajorVer -VCRUNTIMEINSTALLED VCRuntimex64 +VCRUNTIMEINSTALLED vcrt140x64 +VCRTX86INSTALLED vcrt140x86 diff --git a/instsetoo_native/inc_openoffice/windows/msi_templates/DrLocato.idt b/instsetoo_native/inc_openoffice/windows/msi_templates/DrLocato.idt index dfdbe78c60ec..ca5a04b08ae1 100644 --- a/instsetoo_native/inc_openoffice/windows/msi_templates/DrLocato.idt +++ b/instsetoo_native/inc_openoffice/windows/msi_templates/DrLocato.idt @@ -1,3 +1,5 @@ Signature_ Parent Path Depth s72 S72 S255 I2 DrLocator Signature_ Parent Path +vcrt140x64 [System64Folder] +vcrt140x86 [SystemFolder] diff --git a/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt b/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt index 0fff53ba1e81..59aed91a014d 100644 --- a/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt +++ b/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt @@ -2,4 +2,3 @@ Signature_ Root Key Name Type s72 i2 s255 S255 I2 RegLocator Signature_ WinMajorVer 2 Software\Microsoft\Windows NT\CurrentVersion CurrentMajorVersionNumber 2 -VCRuntimex64 2 SOFTWARE\Microsoft\VisualStudio .0\VC\Runtimes\x64 Installed 2 diff --git a/instsetoo_native/inc_openoffice/windows/msi_templates/Signatur.idt b/instsetoo_native/inc_openoffice/windows/msi_templates/Signatur.idt index 5004a55863ba..ccb59304b8e3 100644 --- a/instsetoo_native/inc_openoffice/windows/msi_templates/Signatur.idt +++ b/instsetoo_native/inc_openoffice/windows/msi_templates/Signatur.idt @@ -1,3 +1,5 @@ Signature FileName MinVersion MaxVersion MinSize MaxSize MinDate MaxDate Languages s72 s255 S20 S20 I4 I4 I4 I4 S255 Signature Signature +vcrt140x64 msvcp140.dll 14.29.30133.0 +vcrt140x86 msvcp140.dll 14.29.30133.0 diff --git a/scp2/source/ooo/vc_redist.scp b/scp2/source/ooo/vc_redist.scp index ae2dde477ffb..b8bd5c800982 100644 --- a/scp2/source/ooo/vc_redist.scp +++ b/scp2/source/ooo/vc_redist.scp @@ -53,14 +53,14 @@ MergeModule WINDOWS_X86_MERGEMODULE Feature = gm_Root; Name = WINDOWS_X86_MERGEMODULE_FILE; RootDir = "TARGETDIR"; - ComponentCondition = "VC_REDIST=1"; + ComponentCondition = "VC_REDIST=1 AND NOT VCRTX86INSTALLED"; Attributes_Add = "0x10"; End #endif /* merge modules file for x64 contains the arm64 ones */ -#if (defined(WINDOWS_X64) || defined(WINDOWS_AARCH64)) && defined(WINDOWS_X64_MERGEMODULE) +#if defined(WINDOWS_X64_MERGEMODULE) /* Attributes: msidbComponentAttributesPermanent = 0x10 */ MergeModule WINDOWS_X64_MERGEMODULE commit dabebb77b6029f21428f25a7f5a85a05cee71984 Author: Andras Timar <[email protected]> AuthorDate: Sun Mar 1 18:04:18 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:34:55 2026 +0100 Fix SIGFPE in sparkline rendering with degenerate data When all sparkline values are equal (nMax == nMin), nDelta is 0 and the divisions (nValue - nMin) / nDelta produce Inf/NaN coordinates. Similarly, a line sparkline with only 1 data point divides by numberOfSteps = 0. These garbage coordinates propagate into VCL drawing functions where internal integer coordinate arithmetic triggers SIGFPE (FPE_INTDIV). Return early from drawLine() and drawColumn() when the data is degenerate (nDelta == 0, or too few values for a line chart). Change-Id: I69afedb117ea804749210ff46baaa9564513142a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200723 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/sc/source/ui/inc/SparklineRenderer.hxx b/sc/source/ui/inc/SparklineRenderer.hxx index 9ce70719e4b1..c3064e598a88 100644 --- a/sc/source/ui/inc/SparklineRenderer.hxx +++ b/sc/source/ui/inc/SparklineRenderer.hxx @@ -267,11 +267,17 @@ private: nMin = *rAttributes.getManualMin(); std::vector<SparklineValue> const& rValueList = rSparklineValues.getValuesList(); + if (rValueList.size() <= 1) + return; + + double nDelta = nMax - nMin; + if (nDelta == 0) + return; + std::vector<basegfx::B2DPolygon> aPolygons; aPolygons.emplace_back(); double numberOfSteps = rValueList.size() - 1; double xStep = 0; - double nDelta = nMax - nMin; std::vector<SparklineMarker> aMarkers; size_t nValueIndex = 0; @@ -413,6 +419,12 @@ private: nMin = *rAttributes.getManualMin(); std::vector<SparklineValue> const& rValueList = rSparklineValues.getValuesList(); + if (rValueList.empty()) + return; + + double nDelta = nMax - nMin; + if (nDelta == 0) + return; basegfx::B2DPolygon aPolygon; basegfx::B2DHomMatrix aMatrix; @@ -420,7 +432,6 @@ private: double xStep = 0; double numberOfSteps = rValueList.size(); - double nDelta = nMax - nMin; double nColumnSize = rRectangle.GetWidth() / numberOfSteps; nColumnSize = nColumnSize - (nColumnSize * 0.3); commit 6139998b2a05d82da7b4334e6d1a94ceafdd885c Author: Andras Timar <[email protected]> AuthorDate: Sun Mar 1 18:05:59 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:34:49 2026 +0100 Fix typo: numebrOfSteps -> numberOfSteps in SparklineRenderer Change-Id: I0c75464e5b802f6192b87eae457faf859104e0a1 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200724 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/sc/source/ui/inc/SparklineRenderer.hxx b/sc/source/ui/inc/SparklineRenderer.hxx index 8fb5f64d214b..9ce70719e4b1 100644 --- a/sc/source/ui/inc/SparklineRenderer.hxx +++ b/sc/source/ui/inc/SparklineRenderer.hxx @@ -269,7 +269,7 @@ private: std::vector<SparklineValue> const& rValueList = rSparklineValues.getValuesList(); std::vector<basegfx::B2DPolygon> aPolygons; aPolygons.emplace_back(); - double numebrOfSteps = rValueList.size() - 1; + double numberOfSteps = rValueList.size() - 1; double xStep = 0; double nDelta = nMax - nMin; @@ -288,7 +288,7 @@ private: double nValue = rSparklineValue.maValue; double nP = (nValue - nMin) / nDelta; - double x = rRectangle.GetWidth() * (xStep / numebrOfSteps); + double x = rRectangle.GetWidth() * (xStep / numberOfSteps); double y = rRectangle.GetHeight() - rRectangle.GetHeight() * nP; aPolygon.append({ x, y }); commit 096dc9988d999ad57cd9ab124fe22a5ea116c56a Author: Andras Timar <[email protected]> AuthorDate: Mon Mar 2 10:47:16 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:34:43 2026 +0100 Fix SIGSEGV in SwXTextDocument LOKit methods with null m_pDocShell When document load fails, m_pDocShell is null and LOKit methods like getParts() called from documentStatus crash dereferencing it. Add null checks to getParts() and other LOKit methods missing them, matching the pattern of existing fixes in setClipboard(), getViewRenderState(), initializeForTiledRendering() and getPostIts(). Change-Id: I4e38928ff171435d80623190696c76f9fc455c80 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200785 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/sw/source/uibase/uno/unotxdoc.cxx b/sw/source/uibase/uno/unotxdoc.cxx index 40eb82c01f10..b3dd272ac0fc 100644 --- a/sw/source/uibase/uno/unotxdoc.cxx +++ b/sw/source/uibase/uno/unotxdoc.cxx @@ -3395,6 +3395,9 @@ void SwXTextDocument::paintTile( VirtualDevice &rDevice, Size SwXTextDocument::getDocumentSize() { + if (!m_pDocShell) + return Size(); + SwViewShell* pViewShell = m_pDocShell->GetWrtShell(); if (!pViewShell) { @@ -3411,6 +3414,9 @@ void SwXTextDocument::setPart(int nPart, bool /*bAllowChangeFocus*/) { SolarMutexGuard aGuard; + if (!m_pDocShell) + return; + SwWrtShell* pWrtShell = m_pDocShell->GetWrtShell(); if (!pWrtShell) return; @@ -3422,6 +3428,9 @@ int SwXTextDocument::getParts() { SolarMutexGuard aGuard; + if (!m_pDocShell) + return 0; + SwWrtShell* pWrtShell = m_pDocShell->GetWrtShell(); if (!pWrtShell) return 0; @@ -3433,6 +3442,9 @@ OUString SwXTextDocument::getPartPageRectangles() { SolarMutexGuard aGuard; + if (!m_pDocShell) + return OUString(); + SwWrtShell* pWrtShell = m_pDocShell->GetWrtShell(); if (!pWrtShell) return OUString(); @@ -3459,6 +3471,9 @@ bool SwXTextDocument::isMimeTypeSupported() { SolarMutexGuard aGuard; + if (!m_pDocShell) + return false; + SwWrtShell* pWrtShell = m_pDocShell->GetWrtShell(); if (!pWrtShell) return false; @@ -3476,6 +3491,9 @@ bool SwXTextDocument::isMimeTypeSupported() void SwXTextDocument::setClientVisibleArea(const tools::Rectangle& rRectangle) { + if (!m_pDocShell) + return; + if (SwView* pView = m_pDocShell->GetView()) { // set the PgUp/PgDown offset @@ -3518,6 +3536,9 @@ PointerStyle SwXTextDocument::getPointer() { SolarMutexGuard aGuard; + if (!m_pDocShell) + return PointerStyle::Arrow; + SwWrtShell* pWrtShell = m_pDocShell->GetWrtShell(); if (!pWrtShell) return PointerStyle::Arrow; @@ -3851,6 +3872,9 @@ int SwXTextDocument::getPart() { SolarMutexGuard aGuard; + if (!m_pDocShell) + return 0; + SwView* pView = m_pDocShell->GetView(); if (!pView) return 0; @@ -3873,6 +3897,8 @@ OUString SwXTextDocument::getPartHash(int nPart) VclPtr<vcl::Window> SwXTextDocument::getDocWindow() { SolarMutexGuard aGuard; + if (!m_pDocShell) + return {}; SwView* pView = m_pDocShell->GetView(); if (!pView) return {}; commit f2e5dc7a65e2f76e079ea23a23feb5daace779ac Author: Andras Timar <[email protected]> AuthorDate: Mon Mar 2 10:21:59 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:34:35 2026 +0100 Fix SIGSEGV in chart InsertTitles async callback with null model When the chart model is detached while the InsertTitles dialog is open (e.g. during LOKit collaborative editing), the async callback calls getChartModel() which returns null. This null model is passed through writeDifferenceToModel into TitleHelper::createTitle, which dereferences it at xModel->getFirstChartDiagram() causing a SIGSEGV. Add null model check in the async callback, and defensive null checks in TitleDialogData::readFromModel and TitleHelper::createTitle. Change-Id: Ic5ed4d3392da4b38385e1c37e971b2e1844a40fe Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200778 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/chart2/source/controller/dialogs/TitleDialogData.cxx b/chart2/source/controller/dialogs/TitleDialogData.cxx index 75d59bbb43b4..8d1792fb4bc1 100644 --- a/chart2/source/controller/dialogs/TitleDialogData.cxx +++ b/chart2/source/controller/dialogs/TitleDialogData.cxx @@ -39,6 +39,9 @@ TitleDialogData::TitleDialogData( std::optional<ReferenceSizeProvider> pRefSizeP void TitleDialogData::readFromModel( const rtl::Reference<::chart::ChartModel>& xChartModel ) { + if (!xChartModel) + return; + rtl::Reference< Diagram > xDiagram = xChartModel->getFirstChartDiagram(); //get possibilities diff --git a/chart2/source/controller/main/ChartController_Insert.cxx b/chart2/source/controller/main/ChartController_Insert.cxx index aeff083b0253..58f72da08894 100644 --- a/chart2/source/controller/main/ChartController_Insert.cxx +++ b/chart2/source/controller/main/ChartController_Insert.cxx @@ -291,11 +291,14 @@ void ChartController::executeDispatch_InsertTitles() xUndoGuard=std::move(xUndoGuard)](int nResult){ if ( nResult == RET_OK ) { + rtl::Reference<ChartModel> xModel = getChartModel(); + if (!xModel) + return; // lock controllers till end of block - ControllerLockGuardUNO aCLGuard( getChartModel() ); + ControllerLockGuardUNO aCLGuard( xModel ); TitleDialogData aDialogOutput( impl_createReferenceSizeProvider() ); aDlg->getResult( aDialogOutput ); - bool bChanged = aDialogOutput.writeDifferenceToModel( getChartModel(), m_xCC, xDialogInput.get() ); + bool bChanged = aDialogOutput.writeDifferenceToModel( xModel, m_xCC, xDialogInput.get() ); if( bChanged ) xUndoGuard->commit(); } diff --git a/chart2/source/tools/TitleHelper.cxx b/chart2/source/tools/TitleHelper.cxx index 4a2bfa4f0315..68598374611d 100644 --- a/chart2/source/tools/TitleHelper.cxx +++ b/chart2/source/tools/TitleHelper.cxx @@ -206,6 +206,8 @@ rtl::Reference< Title > TitleHelper::createTitle( if( !xTitled.is() ) { + if( !xModel ) + return xTitle; rtl::Reference< Diagram > xDiagram( xModel->getFirstChartDiagram() ); rtl::Reference< Axis > xAxis; switch( eTitleType ) @@ -272,7 +274,7 @@ rtl::Reference< Title > TitleHelper::createTitle( try { bool bDummy = false; - bool bIsVertical = xDiagram->getVertical( bDummy, bDummy ); + bool bIsVertical = xDiagram && xDiagram->getVertical( bDummy, bDummy ); if( (!bIsVertical && eTitleType == TitleHelper::Y_AXIS_TITLE) || (bIsVertical && eTitleType == TitleHelper::X_AXIS_TITLE) commit df43c196b07648d66c7adef15be4de0a150cc694 Author: Andras Timar <[email protected]> AuthorDate: Mon Mar 2 14:31:24 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:34:11 2026 +0100 MSI: skip VC++ runtime merge module if already installed Use AppSearch/RegLocator to check for the VC++ 14.x runtime at HKLM\SOFTWARE\Microsoft\VisualStudio .0\VC\Runtimes\x64. If the Installed value is present, skip the x64 merge module to avoid msvcp140.dll file-in-use conflicts during silent installation. Change-Id: I9fca6be86f56406527f7f1b2f2725a3c52492875 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200828 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Mike Kaganski <[email protected]> diff --git a/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt b/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt index 569132a50bae..83f9b5da61c3 100644 --- a/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt +++ b/instsetoo_native/inc_openoffice/windows/msi_templates/AppSearc.idt @@ -2,3 +2,4 @@ Property Signature_ s72 s72 AppSearch Property Signature_ WINMAJORVER WinMajorVer +VCRUNTIMEINSTALLED VCRuntimex64 diff --git a/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt b/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt index 59aed91a014d..0fff53ba1e81 100644 --- a/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt +++ b/instsetoo_native/inc_openoffice/windows/msi_templates/RegLocat.idt @@ -2,3 +2,4 @@ Signature_ Root Key Name Type s72 i2 s255 S255 I2 RegLocator Signature_ WinMajorVer 2 Software\Microsoft\Windows NT\CurrentVersion CurrentMajorVersionNumber 2 +VCRuntimex64 2 SOFTWARE\Microsoft\VisualStudio .0\VC\Runtimes\x64 Installed 2 diff --git a/scp2/source/ooo/vc_redist.scp b/scp2/source/ooo/vc_redist.scp index 64f72761ecd1..ae2dde477ffb 100644 --- a/scp2/source/ooo/vc_redist.scp +++ b/scp2/source/ooo/vc_redist.scp @@ -67,7 +67,7 @@ MergeModule WINDOWS_X64_MERGEMODULE Feature = gm_Root; Name = WINDOWS_X64_MERGEMODULE_FILE; RootDir = "TARGETDIR"; - ComponentCondition = "VC_REDIST=1"; + ComponentCondition = "VC_REDIST=1 AND NOT VCRUNTIMEINSTALLED"; Attributes_Add = "0x10"; End commit ee7380c9552169df1ae90db06040d07070d12c76 Author: Andras Timar <[email protected]> AuthorDate: Mon Mar 2 10:12:45 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:59 2026 +0100 Fix SIGSEGV in sw::Justify::SpaceDistribution with invalid text index When rInf.GetIdx() exceeds the text length (a layout bug), DrawText only fired a debug assert but continued in release builds with nCnt not reduced, causing SpaceDistribution to access aText[nStt] past the end of the string. Return early from DrawText on this invalid state, and add a defensive nLen <= 0 guard in SpaceDistribution itself. Change-Id: I195ad79929d096e2c71f351c357a81bfad673b87 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200774 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/sw/source/core/txtnode/fntcache.cxx b/sw/source/core/txtnode/fntcache.cxx index fcbce1563c9a..cd27447a00ed 100644 --- a/sw/source/core/txtnode/fntcache.cxx +++ b/sw/source/core/txtnode/fntcache.cxx @@ -1528,9 +1528,11 @@ void SwFntObj::DrawText( SwDrawTextInfo &rInf ) TextFrameIndex nCnt(rInf.GetText().getLength()); if ( nCnt < rInf.GetIdx() ) - assert(false); // layout bug, not handled below - else - nCnt = nCnt - rInf.GetIdx(); + { + assert(false); // layout bug + return; + } + nCnt = nCnt - rInf.GetIdx(); nCnt = std::min(nCnt, rInf.GetLen()); sal_Unicode cChPrev = rInf.GetText()[sal_Int32(rInf.GetIdx())]; diff --git a/sw/source/core/txtnode/justify.cxx b/sw/source/core/txtnode/justify.cxx index 3c9b41e74b70..18441368d607 100644 --- a/sw/source/core/txtnode/justify.cxx +++ b/sw/source/core/txtnode/justify.cxx @@ -101,6 +101,9 @@ sal_Int32 GetModelPosition(const KernArray& rKernArray, sal_Int32 nLen, tools::L void SpaceDistribution(KernArray& rKernArray, std::u16string_view aText, sal_Int32 nStt, sal_Int32 nLen, tools::Long nSpaceAdd, tools::Long nKern, bool bNoHalfSpace) { + if (nLen <= 0) + return; + assert(nStt + nLen <= sal_Int32(aText.size())); assert(nLen <= sal_Int32(rKernArray.size())); // nSpaceSum contains the sum of the intermediate space distributed commit 5322a8522224ef4432754e9004ed64257794883a Author: Andras Timar <[email protected]> AuthorDate: Sun Mar 1 18:15:50 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:51 2026 +0100 Fix SIGSEGV in ChartController::getFirstDiagram with null model getFirstDiagram() unconditionally dereferences getChartModel() without checking for null. In a multi-view LOKit scenario, the chart model can be detached while an async dialog (e.g. InsertRemoveAxes) is open. When the dialog callback fires, getChartModel() returns null and the subsequent ->getFirstChartDiagram() dereferences it, crashing at offset 0x280. Add a null check for the model before dereferencing. Change-Id: Iabd7efd1d752c28cdcc9182669797b863a7a5306 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200726 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/chart2/source/controller/main/ChartController.cxx b/chart2/source/controller/main/ChartController.cxx index aba6abaeb824..857b4c8ea996 100644 --- a/chart2/source/controller/main/ChartController.cxx +++ b/chart2/source/controller/main/ChartController.cxx @@ -631,7 +631,10 @@ rtl::Reference<::chart::ChartModel> ChartController::getChartModel() rtl::Reference<::chart::Diagram> ChartController::getFirstDiagram() { - return getChartModel()->getFirstChartDiagram(); + rtl::Reference<::chart::ChartModel> xModel = getChartModel(); + if (!xModel) + return nullptr; + return xModel->getFirstChartDiagram(); } uno::Any SAL_CALL ChartController::getViewData() commit 9f5da6d518d28c7e72eeffd990f9e4b36f536777 Author: Andras Timar <[email protected]> AuthorDate: Sun Mar 1 18:10:56 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:45 2026 +0100 Fix SIGABRT in SvxCharacterMap idle handler after dialog destruction The destructor only cancelled pending idle rendering events (m_nShowRenderIdleEvent, m_nSearchRenderIdleEvent) in non-LOKit mode, but scheduleShowSetBackgroundRendering() posts them unconditionally. In LOKit mode, closing the InsertSymbol dialog left dangling idle events that fired on a destroyed object, causing a pure virtual call and std::terminate. Cancel the idle events unconditionally in the destructor. Change-Id: Ia2f1a0fbee6bdd6cab8f710fdb287727b4caa074 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200725 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/svx/source/dialog/cuicharmap.cxx b/svx/source/dialog/cuicharmap.cxx index 606a02a667a2..0e3604bcc69f 100644 --- a/svx/source/dialog/cuicharmap.cxx +++ b/svx/source/dialog/cuicharmap.cxx @@ -1201,14 +1201,10 @@ void SvxCharacterMap::selectCharByCode(Radix radix) SvxCharacterMap::~SvxCharacterMap() { - if (!comphelper::LibreOfficeKit::isActive()) - { - if (m_nShowRenderIdleEvent) - Application::RemoveUserEvent(m_nShowRenderIdleEvent); - if (m_nSearchRenderIdleEvent) - Application::RemoveUserEvent(m_nSearchRenderIdleEvent); - } - + if (m_nShowRenderIdleEvent) + Application::RemoveUserEvent(m_nShowRenderIdleEvent); + if (m_nSearchRenderIdleEvent) + Application::RemoveUserEvent(m_nSearchRenderIdleEvent); } IMPL_LINK_NOARG(SvxCharacterMap, DecimalCodeChangeHdl, weld::Entry&, void) commit e6bd80b231f2e6e7694a2ef5e3c107fe543b95fb Author: Andras Timar <[email protected]> AuthorDate: Sun Mar 1 17:54:27 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:38 2026 +0100 Fix SIGSEGV in lcl_FindCorrespondingCellFrame with mismatched cell counts When a table splits across pages, lcl_FindCorrespondingCellFrame walks the cells of the original row and the corresponding row in lockstep. If the corresponding row has fewer cells (e.g. during partially constructed layout at document load), pCorrCell becomes null while pCell is still iterating, and pCorrCell->GetNext() dereferences null (SIGSEGV at address 0xb8, the offset of mpNext in SwFrame). Add a null guard for pCorrCell in the loop and bail out early if either pointer is null after the loop. Change-Id: Idcd64bbb0aeef8de0dcf3957c120ca13d81d6792 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200722 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/sw/source/core/layout/findfrm.cxx b/sw/source/core/layout/findfrm.cxx index 0092b74542a4..5141c3b66516 100644 --- a/sw/source/core/layout/findfrm.cxx +++ b/sw/source/core/layout/findfrm.cxx @@ -1725,11 +1725,14 @@ static SwCellFrame* lcl_FindCorrespondingCellFrame( const SwRowFrame& rOrigRow, while ( pCell != &rOrigCell && !pCell->IsAnLower( &rOrigCell ) ) { pCell = static_cast<const SwCellFrame*>(pCell->GetNext()); - pCorrCell = static_cast<SwCellFrame*>(pCorrCell->GetNext()); + pCorrCell = static_cast<SwCellFrame*>(pCorrCell ? pCorrCell->GetNext() : nullptr); } assert(pCell && pCorrCell && "lcl_FindCorrespondingCellFrame does not work"); + if ( !pCell || !pCorrCell ) + return nullptr; + if ( pCell != &rOrigCell ) { // rOrigCell must be a lower of pCell. We need to recurse into the rows: commit e819e77fe79e8eb48bb3e977fadaffa9e99786f2 Author: Andras Timar <[email protected]> AuthorDate: Tue Feb 24 23:14:01 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:25 2026 +0100 chart2: fix crash in ControllerLockGuardUNO with null ChartModel Many callers pass the result of Chart2ModelContact::getDocumentModel() which resolves a WeakReference<ChartModel> and can return null if the model has been destroyed. Add null checks matching the existing pattern in ControllerLockHelper::lockControllers/unlockControllers. The crash was caused by a race condition where the ChartModel weak reference (held in Chart2ModelContact) had expired by the time the chart wrapper code tried to lock controllers during a Copy operation. The fix gracefully handles the null case instead of dereferencing a null pointer. Change-Id: I43294de12b84cefb062ada12e8a570ad3b7ea571 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200268 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/chart2/source/tools/ControllerLockGuard.cxx b/chart2/source/tools/ControllerLockGuard.cxx index 5373d44f4090..c1fcffd49eaf 100644 --- a/chart2/source/tools/ControllerLockGuard.cxx +++ b/chart2/source/tools/ControllerLockGuard.cxx @@ -27,12 +27,14 @@ namespace chart ControllerLockGuardUNO::ControllerLockGuardUNO( rtl::Reference<::chart::ChartModel> xModel ) : mxModel(std::move( xModel )) { - mxModel->lockControllers(); + if( mxModel.is()) + mxModel->lockControllers(); } ControllerLockGuardUNO::~ControllerLockGuardUNO() { - mxModel->unlockControllers(); + if( mxModel.is()) + mxModel->unlockControllers(); } ControllerLockGuard::ControllerLockGuard( ChartModel& rModel ) : commit 5c2faf4a5df03ef6b421f0d603c8fa615182aa76 Author: Andras Timar <[email protected]> AuthorDate: Mon Feb 23 18:47:10 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:15 2026 +0100 cui: fix crash in Hyperlink dialog mark tree with unexpected outline levels The while loop in FillTree could pop all entries from the stack, including the sentinel, if a heading had an outline level <= -1. Subsequent top() calls on the empty stack triggered a SIGABRT. Keep the sentinel entry by checking stack size before popping. Change-Id: I647b0de4d39dea4cdad44cc844db4a0788ab91db Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200079 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Moritz Duge <[email protected]> diff --git a/cui/source/dialogs/hlmarkwn.cxx b/cui/source/dialogs/hlmarkwn.cxx index f35be2db2aea..ebb50ac4dd89 100644 --- a/cui/source/dialogs/hlmarkwn.cxx +++ b/cui/source/dialogs/hlmarkwn.cxx @@ -361,8 +361,9 @@ int SvxHlinkDlgMarkWnd::FillTree( const uno::Reference< container::XNameAccess > sal_Int32 nOutlineLevel = *o3tl::doAccess<sal_Int32>(aAny); // pop until the top of stack entry has an outline level less than - // the to be inserted heading outline level - while (nOutlineLevel <= aHeadingsParentEntryStack.top().second) + // the to be inserted heading outline level, but keep the sentinel + while (aHeadingsParentEntryStack.size() > 1 + && nOutlineLevel <= aHeadingsParentEntryStack.top().second) aHeadingsParentEntryStack.pop(); mxLbTree->insert(aHeadingsParentEntryStack.top().first.get(), -1, commit 215b17a664d56fb93e08eafd45a98e60c40d3c52 Author: Andras Timar <[email protected]> AuthorDate: Sat Feb 21 16:37:17 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:33:06 2026 +0100 fix SIGSEGV in MasterPagesSelector on CHILD_REMOVED event GetIndexForToken() returns -1 when the token is not found in the index map (e.g. during document load when the sidebar hasn't been fully populated yet). The CHILD_REMOVED case was passing this unchecked -1 to SetItem(), where it got implicitly converted to sal_uInt16 (65535), causing remove() on a non-existent entry and a null pointer dereference in SvTreeList::Remove(). Add the missing bounds check, matching the pattern already used in the PREVIEW_CHANGED case. Change-Id: Ice85a6b0df6cd1d6f9603c8f81376c1bddc246f6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/199946 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/sd/source/ui/sidebar/MasterPagesSelector.cxx b/sd/source/ui/sidebar/MasterPagesSelector.cxx index e1ceec5ab1c5..80829e597a8f 100644 --- a/sd/source/ui/sidebar/MasterPagesSelector.cxx +++ b/sd/source/ui/sidebar/MasterPagesSelector.cxx @@ -377,7 +377,8 @@ void MasterPagesSelector::NotifyContainerChangeEvent (const MasterPageContainerC case MasterPageContainerChangeEvent::EventType::CHILD_REMOVED: { int nIndex (GetIndexForToken(rEvent.maChildToken)); - SetItem(nIndex, MasterPageContainer::NIL_TOKEN); + if (nIndex >= 0) + SetItem(nIndex, MasterPageContainer::NIL_TOKEN); break; } commit e5187a6ba97755a1bab4ff7113fb3a74716c24fa Author: Andras Timar <[email protected]> AuthorDate: Mon Feb 23 08:20:03 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:32:55 2026 +0100 use HasItem for SID_FRAME_LINESTYLE to avoid crash SfxItemSet::Get(SID_FRAME_LINESTYLE) crashes when the SvxLineItem is not in the argument set AND SID_FRAME_LINESTYLE (10201) is not in any Calc pool's Which ID range - getTargetPool() returns nullptr in GetUserOrPoolDefaultItem(), causing a null pointer dereference. This can happen when LOKit dispatches .uno:LineStyle with arguments in a format that TransformParameters cannot convert to SvxLineItem (e.g. simple integer values instead of BorderLine2 struct), so the item is never put into the set. Use HasItem() to safely check for the item's presence, and also guard the FN_PARAM branch against null pLine. Change-Id: Iad2421ec63c93f0a4223b6f573d3c1d8e9ec3863 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200008 Reviewed-by: Andras Timar <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/sc/source/ui/view/formatsh.cxx b/sc/source/ui/view/formatsh.cxx index a7f21b68b548..a2cdd771410f 100644 --- a/sc/source/ui/view/formatsh.cxx +++ b/sc/source/ui/view/formatsh.cxx @@ -1092,10 +1092,14 @@ void ScFormatShell::ExecuteAttr( SfxRequest& rReq ) { // Update default line ::editeng::SvxBorderLine aLine; - const ::editeng::SvxBorderLine* pLine = pNewAttrs->Get(SID_FRAME_LINESTYLE).GetLine(); + const ::editeng::SvxBorderLine* pLine = nullptr; + const SfxPoolItem* pLineStyleItem = nullptr; + if (pNewAttrs->HasItem(SID_FRAME_LINESTYLE, &pLineStyleItem)) + pLine = static_cast<const SvxLineItem*>(pLineStyleItem)->GetLine(); const SfxPoolItem *pItem1, *pItem2, *pItem3; - if (pNewAttrs->HasItem(FN_PARAM_1, &pItem1) && + if (pLine && + pNewAttrs->HasItem(FN_PARAM_1, &pItem1) && pNewAttrs->HasItem(FN_PARAM_2, &pItem2) && pNewAttrs->HasItem(FN_PARAM_3, &pItem3)) { commit c91bb1d96c894ee9baa65c00483d90ce70ae109f Author: Andras Timar <[email protected]> AuthorDate: Mon Feb 23 07:50:40 2026 +0100 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:32:54 2026 +0100 writerfilter: add null check for GetPaM() in EmulateSectPrBelowSpacing Defensive null check to avoid a potential crash if the cursor's underlying PaM has been invalidated by the time EmulateSectPrBelowSpacing runs. Change-Id: I021ee06c7fb562a6b9ec911700fd5196191d81d4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200007 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Andras Timar <[email protected]> diff --git a/sw/source/writerfilter/dmapper/PropertyMap.cxx b/sw/source/writerfilter/dmapper/PropertyMap.cxx index 7c33e28d39e5..c3a36fbe5967 100644 --- a/sw/source/writerfilter/dmapper/PropertyMap.cxx +++ b/sw/source/writerfilter/dmapper/PropertyMap.cxx @@ -1581,7 +1581,9 @@ void SectionPropertyMap::EmulateSectPrBelowSpacing(DomainMapper_Impl& rDM_Impl) // Also, if m_xStartingRange starts with a table (which also doesn't have above spacing) // then again the below spacing can be ignored since no consolidation is needed. auto pCursor = dynamic_cast<SwXTextCursor*>(m_xStartingRange.get()); - if (!pCursor || pCursor->GetPaM()->GetPointNode().FindTableNode()) + if (!pCursor || !pCursor->GetPaM()) + return; + if (pCursor->GetPaM()->GetPointNode().FindTableNode()) return; // no emulation needed: section starts with a table (i.e. a zero top margin) SwPaM aPaM(pCursor->GetPaM()->GetPointNode()); // at start of section, contentIndex(0) commit 505634773d2e7a68e140d0e0a8d063a383c49ec6 Author: Justin Luth <[email protected]> AuthorDate: Mon Jan 5 14:12:08 2026 -0500 Commit: Andras Timar <[email protected]> CommitDate: Tue Mar 3 21:32:54 2026 +0100 writerfilter: no m_xPreStartingRange if not gotoPreviousParagraph Based on a code read, it doesn't make any sense to pretend we have a useful value in m_xPreStartingRange if this could not move backwards. Better not to have a value at all than to confuse someone who now expects to find content before m_xStartingRange. Introduced in 25.8 with commit a2a88f0073bdd5119745679daa61469e87002579 tdf#165717, tdf#165718 additional hack to apply continuous section breaks Reviewed-on: https://gerrit.libreoffice.org/c/core/+/182830 Change-Id: Ib092cfd755a09b733c7433417c2b7d7eaaef7aa9 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/196582 Reviewed-by: Justin Luth <[email protected]> Tested-by: Jenkins Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200006 Reviewed-by: Andras Timar <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> diff --git a/sw/source/writerfilter/dmapper/PropertyMap.cxx b/sw/source/writerfilter/dmapper/PropertyMap.cxx index 9125c36c69ce..7c33e28d39e5 100644 --- a/sw/source/writerfilter/dmapper/PropertyMap.cxx +++ b/sw/source/writerfilter/dmapper/PropertyMap.cxx @@ -2226,8 +2226,8 @@ void SectionPropertyMap::SetStart( const uno::Reference< text::XTextRange >& xRa m_xStartingRange->getText()->createTextCursorByRange(m_xStartingRange), uno::UNO_QUERY_THROW); // CAUTION: gotoPreviousParagraph skips over tables, // so this range does not necessarily indicate the end of the previous section - xPCursor->gotoPreviousParagraph(false); - m_xPreStartingRange = xPCursor; + if (xPCursor->gotoPreviousParagraph(false)) + m_xPreStartingRange = xPCursor; } catch (const uno::Exception&) {
