crashtesting: export of fdo50613-3.odt to docx crashes

Desktop / LibreOffice - Caolán McNamara [redhat.com] - 26 November 2019 23:27 UTC

there are multiple objects in the doc and the ole cache hovers at the max size at which it wants to purge excess object.

On save to docx, object a's chart model is fetched in order to save it, this triggers activating that object a, so object b is purged from the cache. storeOwn is called on b to save it to the document persist storage.

During save of object b to document persist, ChartView::getExplicitValuesForAxis is called, which calls impl_updateView which eventually calls lcl_setDefaultWritingMode.

*if* IsCTLFontEnabled is on, then chart digs through its parents objects looking for a chart in order to see what the writing direction is at the insertion point of the chart, or failing that for the page its on) (this also seems dubious as it might be any chart, not the current chart)

To see if the object is a chart it calls getPropertyValue("CLSID") which brings the object into the ole cache, another object is purged from the cache, and the object purged is object b (which is in progress of getting purged already)

object b is now purged in the inner case, so when control is returned to the outer storeOwn the object properties have been deleted and all is lost

disallow a purge within a purge

Change-Id: Ia21e794759aa82b6bcf39c638be8b47ac58a9bb3 Reviewed-on: https://gerrit.libreoffice.org/83808

1cf1e9cc3332 crashtesting: export of fdo50613-3.odt to docx crashes
sw/inc/ndole.hxx | 15 +++++++++++++++
sw/source/core/ole/ndole.cxx | 14 ++++++++++++++
sw/source/filter/basflt/shellio.cxx | 6 +++---
3 files changed, 32 insertions(+), 3 deletions(-)

Upstream: cgit.freedesktop.org


  • Share