sd: ubsan - fix heap-use-after-free in SdOutliner

Desktop / LibreOffice - Tomaž Vajngerl [collabora.co.uk] - 10 June 2021 00:36 UTC

OutlinerView can change (old one deleted and new one create) so we can't store it in a local vairable and need to always fetch it.

UBSAN Error log:
==21484==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000af7d28 at pc 0x2ab7c5979405 bp 0x7ffcd1a3d1a0 sp 0x7ffcd1a3d198 READ of size 8 at 0x606000af7d28 thread T0-0 0x2ab7c5979404 in std::__uniq_ptr_impl >::_M_ptr() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:147:42-1 0x2ab7c59792ea in std::unique_ptr >::get() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:337:21-2 0x2ab7c59791d9 in std::unique_ptr >::operator*() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:322:2-3 0x2ab7c59725da in OutlinerView::GetEditView() const /include/editeng/outliner.hxx:209:46-4 0x2ab7c70e36bb in SdOutliner::SearchAndReplaceOnce(std::__debug::vector >*) /sd/source/ui/view/Outliner.cxx:903:21-5 0x2ab7c70dcb32 in SdOutliner::SearchAndReplaceAll() /sd/source/ui/view/Outliner.cxx:622:29-6 0x2ab7c70da81b in SdOutliner::StartSearchAndReplace(SvxSearchItem const*) /sd/source/ui/view/Outliner.cxx:478:28-7 0x2ab7c61e4fc5 in sd::FuSearch::SearchAndReplace(SvxSearchItem const*) /sd/source/ui/func/fusearch.cxx:128:44-8 0x2ab7c5c61fc5 in sd::DrawDocShell::Execute(SfxRequest&) /sd/source/ui/docshell/docshel3.cxx:228:36-9 0x2ab7c5cac074 in SfxStubDrawDocShellExecute(SfxShell*, SfxRequest&) /workdir/SdiTarget/sd/sdi/sdslots.hxx:18384:1-10 0x2ab7cd885d8f in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:9-11 0x2ab7cd89bd8f in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9-12 0x2ab7cd89ccd6 in SfxDispatcher::Execute(unsigned short, SfxCallMode, SfxItemSet const*, SfxItemSet const*, unsigned short) /sfx2/source/control/dispatch.cxx:811:9-13 0x2ab7cdd11d76 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence const&, com::sun::star::uno::Reference const&) /sfx2/source/control/unoctitm.cxx:738:46-14 0x2ab7cdd15135 in SfxOfficeDispatch::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence const&, com::sun::star::uno::Reference const&) /sfx2/source/control/unoctitm.cxx:243:16-15 0x2ab7f54b25d7 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence const&) /framework/source/services/dispatchhelper.cxx:159:30-16 0x2ab7f54b1531 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) /framework/source/services/dispatchhelper.cxx:117:16-17 0x2ab7f54b2d17 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) /framework/source/services/dispatchhelper.cxx-18 0x2ab7e63c546f in unotest::MacrosTest::dispatchCommand(com::sun::star::uno::Reference const&, rtl::OUString const&, com::sun::star::uno::Sequence const&) /unotest/source/cpp/macros_test.cxx:85:22-19 0x2ab7b1a9ac2d in testSearchAllInDocumentAndNotes::TestBody() /sd/qa/unit/uiimpress.cxx:715:5-20 0x2ab7b1b43f84 in void std::__invoke_impl(std::__invoke_memfun_deref, void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:73:14-21 0x2ab7b1b43b5e in std::__invoke_result::type std::__invoke(void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:95:14-22 0x2ab7b1b439b2 in void std::_Bind::__call(std::tuple<>&&, std::_Index_tuple<0ul>) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:467:11-23 0x2ab7b1b43612 in void std::_Bind::operator()() /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:549:17-24 0x2ab7b1b426a1 in std::_Function_handler >::_M_invoke(std::_Any_data const&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:316:2-25 0x2ab7b1aec1f1 in std::function::operator()() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:706:14-26 0x2ab7b1b41984 in CppUnit::TestCaller::runTest() /workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7-27 0x2ab765f655ba in CppUnit::TestCaseMethodFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5-28 0x2ab780dd0937 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /test/source/vclbootstrapprotector.cxx:46:14-29 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25-30 0x2ab775453fd7 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:78:12-31 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25-32 0x2ab771f47962 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:62:16-33 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25-34 0x2ab765ecdf84 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12-35 0x2ab765f36c47 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25-36 0x2ab765f30697 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) /workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18-37 0x2ab765fcfa79 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string, std::allocator > const&) /workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28-38 0x2ab765f63c21 in CppUnit::TestCase::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:91:13-39 0x2ab765f67a52 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30-40 0x2ab765f66c4a in CppUnit::TestComposite::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3-41 0x2ab765f67a52 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30-42 0x2ab765f66c4a in CppUnit::TestComposite::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3-43 0x2ab765ffd60e in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27-44 0x2ab765fce4de in CppUnit::TestResult::runTest(CppUnit::Test*) /workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9-45 0x2ab765ffe56b in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string, std::allocator > const&) /workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14-46 0x4ff42e in (anonymous namespace)::ProtectedFixtureFunctor::run() const /sal/cppunittester/cppunittester.cxx:324:20-47 0x4fb90c in sal_main() /sal/cppunittester/cppunittester.cxx:474:20-48 0x4fa40e in main /sal/cppunittester/cppunittester.cxx:381:1-49 0x2ab767c44554 in __libc_start_main (/lib64/libc.so.6+0x22554)-50 0x425e04 in _start (/workdir/LinkTarget/Executable/cppunittester+0x425e04)

0x606000af7d28 is located 8 bytes inside of 56-byte region [0x606000af7d20,0x606000af7d58) freed by thread T0 here:-0 0x4f75f0 in operator delete(void*) /home/tdf/lode/packages/llvm-llvmorg-9.0.1.src/compiler-rt/lib/asan/asan_new_delete.cc:160-1 0x2ab7c70c42b1 in SdOutliner::Implementation::ProvideOutlinerView(Outliner&, std::shared_ptr const&, vcl::Window*) /sd/source/ui/view/Outliner.cxx:1988:17-2 0x2ab7c70c1302 in SdOutliner::SetViewShell(std::shared_ptr const&) /sd/source/ui/view/Outliner.cxx:1743:17-3 0x2ab7c70ed9f4 in SdOutliner::SetViewMode(PageKind) /sd/source/ui/view/Outliner.cxx:1571:5-4 0x2ab7c70f309e in SdOutliner::SetObject(sd::outliner::IteratorPosition const&) /sd/source/ui/view/Outliner.cxx:1720:5-5 0x2ab7c70f3db6 in SdOutliner::PrepareSearchAndReplace() /sd/source/ui/view/Outliner.cxx:1507:13-6 0x2ab7c70d4b3f in SdOutliner::ProvideNextTextObject() /sd/source/ui/view/Outliner.cxx:1302:33-7 0x2ab7c70e30f0 in SdOutliner::SearchAndReplaceOnce(std::__debug::vector >*) /sd/source/ui/view/Outliner.cxx:892:17-8 0x2ab7c70dcb32 in SdOutliner::SearchAndReplaceAll() /sd/source/ui/view/Outliner.cxx:622:29-9 0x2ab7c70da81b in SdOutliner::StartSearchAndReplace(SvxSearchItem const*) /sd/source/ui/view/Outliner.cxx:478:28-10 0x2ab7c61e4fc5 in sd::FuSearch::SearchAndReplace(SvxSearchItem const*) /sd/source/ui/func/fusearch.cxx:128:44-11 0x2ab7c5c61fc5 in sd::DrawDocShell::Execute(SfxRequest&) /sd/source/ui/docshell/docshel3.cxx:228:36-12 0x2ab7c5cac074 in SfxStubDrawDocShellExecute(SfxShell*, SfxRequest&) /workdir/SdiTarget/sd/sdi/sdslots.hxx:18384:1-13 0x2ab7cd885d8f in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:9-14 0x2ab7cd89bd8f in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9-15 0x2ab7cd89ccd6 in SfxDispatcher::Execute(unsigned short, SfxCallMode, SfxItemSet const*, SfxItemSet const*, unsigned short) /sfx2/source/control/dispatch.cxx:811:9-16 0x2ab7cdd11d76 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence const&, com::sun::star::uno::Reference const&) /sfx2/source/control/unoctitm.cxx:738:46-17 0x2ab7cdd15135 in SfxOfficeDispatch::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence const&, com::sun::star::uno::Reference const&) /sfx2/source/control/unoctitm.cxx:243:16-18 0x2ab7f54b25d7 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence const&) /framework/source/services/dispatchhelper.cxx:159:30-19 0x2ab7f54b1531 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) /framework/source/services/dispatchhelper.cxx:117:16-20 0x2ab7f54b2d17 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) /framework/source/services/dispatchhelper.cxx-21 0x2ab7e63c546f in unotest::MacrosTest::dispatchCommand(com::sun::star::uno::Reference const&, rtl::OUString const&, com::sun::star::uno::Sequence const&) /unotest/source/cpp/macros_test.cxx:85:22-22 0x2ab7b1a9ac2d in testSearchAllInDocumentAndNotes::TestBody() /sd/qa/unit/uiimpress.cxx:715:5-23 0x2ab7b1b43f84 in void std::__invoke_impl(std::__invoke_memfun_deref, void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:73:14-24 0x2ab7b1b43b5e in std::__invoke_result::type std::__invoke(void (testSearchAllInDocumentAndNotes::*&)(), testSearchAllInDocumentAndNotes*&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/invoke.h:95:14-25 0x2ab7b1b439b2 in void std::_Bind::__call(std::tuple<>&&, std::_Index_tuple<0ul>) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:467:11-26 0x2ab7b1b43612 in void std::_Bind::operator()() /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/functional:549:17-27 0x2ab7b1b426a1 in std::_Function_handler >::_M_invoke(std::_Any_data const&) /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:316:2-28 0x2ab7b1aec1f1 in std::function::operator()() const /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:706:14-29 0x2ab7b1b41984 in CppUnit::TestCaller::runTest() /workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7

Change-Id: I0b4616cd3813565bc58b7a84320cbf52dd654a3a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/116879

36db408b9027 sd: ubsan - fix heap-use-after-free in SdOutliner
sd/inc/Outliner.hxx | 3 ++
sd/source/ui/view/Outliner.cxx | 63 ++++++++++++++++++++++--------------------
2 files changed, 36 insertions(+), 30 deletions(-)

Upstream: cgit.freedesktop.org


  • Share