crashtesting: threaded scaling crash on re-export of ooo24840-1.sxw to odt

Desktop / LibreOffice - Caolán McNamara [redhat.com] - 10 September 2021 17:01 UTC

#13 0x00007f1cb843752a in o3tl::cow_wrapper::operator->() (this=0x5596086d5968) at include/o3tl/cow_wrapper.hxx:329 __PRETTY_FUNCTION__ = "BitmapColor& BitmapPalette::operator[](sal_uInt16)" #14 0x00007f1cb843752a in BitmapPalette::operator[](unsigned short) (this=0x5596086d5968, nIndex=nIndex@entry=0) at vcl/source/bitmap/bitmappalette.cxx:139 __PRETTY_FUNCTION__ = "BitmapColor& BitmapPalette::operator[](sal_uInt16)" #15 0x00007f1cb849f5f5 in BitmapInfoAccess::GetPaletteColor(unsigned short) const (nColor=0, this=0x5596085989f0) at include/vcl/BitmapInfoAccess.hxx:114 __PRETTY_FUNCTION__ = "const BitmapColor& BitmapInfoAccess::GetPaletteColor(sal_uInt16) const"

the mpBuffer member of BitmapInfoAccess is

BitmapBuffer* mpBuffer;

not

const BitmapBuffer* mpBuffer;

so mpBuffer->maPalette.foo() calls non-const variants of foo(), (BitmapPalette::operator[](unsigned short) in this case), which is presumably non the expected outcome, as the copy-on-write mpImpl of BitmapPalette unsafely creates a new copy its internals on the first dereference of mpImpl in a non-const method.

Change-Id: I1ebb3c67386a9028e5b8bab4b2d1cc5862700aa1 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121910

7d4142269e2d crashtesting: threaded scaling crash on re-export of ooo24840-1.sxw to odt
include/vcl/BitmapInfoAccess.hxx | 27 ++++++++++++++++++---------
vcl/source/bitmap/BitmapInfoAccess.cxx | 4 +++-
2 files changed, 21 insertions(+), 10 deletions(-)

Upstream: cgit.freedesktop.org


  • Share