Fix heap-use-after-free

Desktop / LibreOffice - Stephan Bergmann [redhat.com] - 7 December 2019 15:30 UTC

...after 91b2325808a75174f284c48c8b8afc118fad74e4 "tdf#121300 sw: consistent fly at-pargraph selection", as seen with ASan during UITest_writer_tests6 (see also ):

> ERROR: AddressSanitizer: heap-use-after-free on address 0x6040006ec168 at pc 0x7f75b9ee9c81 bp 0x7f75d168a410 sp 0x7f75d168a408 > READ of size 4 at 0x6040006ec168 thread T41 (cppu_threadpool) > #0 in SwFormatAnchor::GetAnchorId() const at sw/inc/fmtanchr.hxx:65:44 > #1 in sw::DocumentContentOperationsManager::CopyImplImpl(SwPaM&, SwPosition&, bool, SwPaM*) const at sw/source/core/doc/DocumentContentOperationsManager.cxx:4863:30 > #2 in sw::DocumentContentOperationsManager::CopyImpl(SwPaM&, SwPosition&, bool, SwPaM*) const at sw/source/core/doc/DocumentContentOperationsManager.cxx:4432:16 > #3 in sw::DocumentContentOperationsManager::CopyRange(SwPaM&, SwPosition&, bool, bool) const at sw/source/core/doc/DocumentContentOperationsManager.cxx:1868:16 > #4 in SwFEShell::Paste(SwDoc*) at sw/source/core/frmedt/fecopy.cxx:1038:62 [...] > 0x6040006ec168 is located 24 bytes inside of 40-byte region [0x6040006ec150,0x6040006ec178) > freed by thread T41 (cppu_threadpool) here: > #0 in operator delete(void*, unsigned long) at /home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3 > #1 in SwFormatAnchor::~SwFormatAnchor() at sw/source/core/layout/atrfrm.cxx:1473:1 > #2 in SfxItemPool::Remove(SfxPoolItem const&) at svl/source/items/itempool.cxx:741:13 > #3 in SfxItemSet::~SfxItemSet() at svl/source/items/itemset.cxx:252:42 > #4 in SwAttrSet::~SwAttrSet() at sw/inc/swatrset.hxx:161:20 > #5 in SwFormat::SetFormatAttr(SfxPoolItem const&) at sw/source/core/attr/format.cxx:541:5 > #6 in sw::DocumentContentOperationsManager::CopyImplImpl(SwPaM&, SwPosition&, bool, SwPaM*) const at sw/source/core/doc/DocumentContentOperationsManager.cxx:4861:27 > #7 in sw::DocumentContentOperationsManager::CopyImpl(SwPaM&, SwPosition&, bool, SwPaM*) const at sw/source/core/doc/DocumentContentOperationsManager.cxx:4432:16 > #8 in sw::DocumentContentOperationsManager::CopyRange(SwPaM&, SwPosition&, bool, bool) const at sw/source/core/doc/DocumentContentOperationsManager.cxx:1868:16 > #9 in SwFEShell::Paste(SwDoc*) at sw/source/core/frmedt/fecopy.cxx:1038:62 [...]

Change-Id: I7a31e9dbb6fa1cdf938420a9a949b125c66e3ce2 Reviewed-on: https://gerrit.libreoffice.org/84683

546cbc918258 Fix heap-use-after-free
sw/source/core/doc/DocumentContentOperationsManager.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Upstream: cgit.freedesktop.org


  • Share