ofz#3527 ofz#3532 Invalid read of size 8

use numrule name to look up numrule instead of cached numrule pointer in case it was deleted on failure to apply the numrule over an invalid range Invalid read of size 8 at 0x1E875132: rtl::OUString::OUString(rtl::OUString const&) (ustring.hxx:143) by 0x1EB33D93: SwWW8ImplReader::StartAnl(unsigned char const*) (ww8par2.cxx:1094) by 0x1EB33003: SwWW8ImplReader::Read_ANLevelNo(unsigned short, unsigned char const*, short) (ww8par2.cxx:910) by 0x1EBA375D: SwWW8ImplReader::ImportSprm(unsigned char const*, int, unsigned short) (ww8par6.cxx:6337) by 0x1EAEEA24: SwWW8ImplReader::ReadTextAttr(int&, long, bool&) (ww8par.cxx:3810) by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&) (ww8par.cxx:3921) by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes) (ww8par.cxx:4003) by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*) (ww8par.cxx:5219) Address 0x31831158 is 200 bytes inside a block of size 248 free'd at 0x4C2F21A: operator delete(void*) (vg_replace_malloc.c:576) by 0x253BC1B5: SwDoc::DelNumRule(rtl::OUString const&, bool) (docnum.cxx:1033) by 0x25CB943D: SwFltControlStack::SetAttrInDoc(SwPosition const&, SwFltStackEntry&) (fltshell.cxx:609) by 0x1EAE5011: SwWW8FltControlStack::SetAttrInDoc(SwPosition const&, SwFltStackEntry&) (ww8par.cxx:1445) by 0x25CB8A9E: SwFltControlStack::SetAttr(SwPosition const&, unsigned short, bool, long, bool) (fltshell.cxx:457) by 0x1EAE420E: SwWW8FltControlStack::SetAttr(SwPosition const&, unsigned short, bool, long, bool) (ww8par.cxx:1185) by 0x1EAE5C12: SwWW8ImplReader::Read_Tab(unsigned short, unsigned char const*, short) (ww8par.cxx:1625) by 0x1EBA35F0: SwWW8ImplReader::EndSprm(unsigned short) (ww8par6.cxx:6321) by 0x1EAEEA44: SwWW8ImplReader::ReadTextAttr(int&, long, bool&) (ww8par.cxx:3813) by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&) (ww8par.cxx:3921) by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes) (ww8par.cxx:4003) by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*) (ww8par.cxx:5219) Change-Id: Ia7ab67e42fc7a162d8089722e77841285f72a671 Reviewed-on: https://gerrit.libreoffice.org/43030 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Michael Stahl <mstahl@redhat.com> (cherry picked from commit 8580472270972733cda7fa6ecf23db73359d30bb)
author: Caolán McNamara <caolanm@redhat.com> 2017-10-02 09:24:19 +0100
committer: Andras Timar <andras.timar@collabora.com> 2017-10-18 11:59:54 +0200
commit: 98e811528fa2ed87e0b1e2d8bf1fd66ac222702d (patch)
tree: 212c71ada260583330c6eab3e6f0b898fe52abd2
parent: Resolves: tdf#100822 use sax::Converter::parseDateTime() for 'd' ISO 8601 date (diff)
download: core-98e811528fa2ed87e0b1e2d8bf1fd66ac222702d.tar.gz
core-98e811528fa2ed87e0b1e2d8bf1fd66ac222702d.zip
2 files changed, 17 insertions, 14 deletions
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 3de77f914409..3d72215dc157 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -972,11 +972,10 @@ struct ApoTestResults
 
 struct ANLDRuleMap
 {
-    SwNumRule* mpOutlineNumRule;    // WinWord 6 numbering, variant 1
-    SwNumRule* mpNumberingNumRule;  // WinWord 6 numbering, variant 2
-    SwNumRule* GetNumRule(sal_uInt8 nNumType);
+    OUString msOutlineNumRule;    // WinWord 6 numbering, variant 1
+    OUString msNumberingNumRule;  // WinWord 6 numbering, variant 2
+    SwNumRule* GetNumRule(SwDoc& rDoc, sal_uInt8 nNumType);
     void SetNumRule(SwNumRule*, sal_uInt8 nNumType);
-    ANLDRuleMap() : mpOutlineNumRule(nullptr), mpNumberingNumRule(nullptr) {}
 };
 
 struct SprmReadInfo;
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 7a3f269bb1ab..659ce0b4c0cd 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1020,17 +1020,21 @@ WW8LvlType GetNumType(sal_uInt8 nWwLevelNo)
     return nRet;
 }
 
-SwNumRule *ANLDRuleMap::GetNumRule(sal_uInt8 nNumType)
+SwNumRule *ANLDRuleMap::GetNumRule(SwDoc& rDoc, sal_uInt8 nNumType)
 {
-    return (WW8_Numbering == nNumType ? mpNumberingNumRule : mpOutlineNumRule);
+    const OUString& rNumRule = WW8_Numbering == nNumType ? msNumberingNumRule : msOutlineNumRule;
+    if (rNumRule.isEmpty())
+        return nullptr;
+    return rDoc.FindNumRulePtr(rNumRule);
 }
 
 void ANLDRuleMap::SetNumRule(SwNumRule *pRule, sal_uInt8 nNumType)
 {
+    OUString sNumRule = pRule ? pRule->GetName() : OUString();
     if (WW8_Numbering == nNumType)
-        mpNumberingNumRule = pRule;
+        msNumberingNumRule = sNumRule;
     else
-        mpOutlineNumRule = pRule;
+        msOutlineNumRule = sNumRule;
 }
 
 // StartAnl is called at the beginning of a row area that contains
@@ -1044,7 +1048,7 @@ void SwWW8ImplReader::StartAnl(const sal_uInt8* pSprm13)
         return;
 
     m_nWwNumType = nT;
-    SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+    SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
 
     // check for COL numbering:
     const sal_uInt8* pS12 = nullptr;// sprmAnld
@@ -1112,7 +1116,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
     if (!m_bAnl)
         return;
 
-    SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+    SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
 
     // pNd->UpdateNum ohne Regelwerk gibt GPF spaetestens beim Speichern als
     // sdw3
@@ -1121,7 +1125,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
     if (*pSprm13 == 10 || *pSprm13 == 11)
     {
         m_nSwNumLevel = 0;
-        if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+        if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
         {
             // not defined yet
             // sprmAnld o. 0
@@ -1133,7 +1137,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
     {
         m_nSwNumLevel = *pSprm13 - 1;             // outline
         // undefined
-        if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+        if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
         {
             if (m_pNumOlst)                       // there was a OLST
             {
@@ -1186,7 +1190,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8 nNewType, bool bGoBack)
     else
         m_pCtrlStck->SetAttr(*m_pPaM->GetPoint(), RES_FLTR_NUMRULE);
 
-    m_aANLDRules.mpNumberingNumRule = nullptr;
+    m_aANLDRules.msNumberingNumRule.clear();
     /*
      #i18816#
      my take on this problem is that moving either way from an outline to a
@@ -1196,7 +1200,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8 nNewType, bool bGoBack)
         (((m_nWwNumType == WW8_Outline) && (nNewType == WW8_Numbering)) ||
         ((m_nWwNumType == WW8_Numbering) && (nNewType == WW8_Outline)));
     if (!bNumberingNotStopOutline)
-        m_aANLDRules.mpOutlineNumRule = nullptr;
+        m_aANLDRules.msOutlineNumRule.clear();
 
     m_nSwNumLevel = 0xff;
     m_nWwNumType = WW8_None;
author	Caolán McNamara <caolanm@redhat.com>	2017-10-02 09:24:19 +0100
committer	Andras Timar <andras.timar@collabora.com>	2017-10-18 11:59:54 +0200
commit	98e811528fa2ed87e0b1e2d8bf1fd66ac222702d (patch)
tree	212c71ada260583330c6eab3e6f0b898fe52abd2
parent	Resolves: tdf#100822 use sax::Converter::parseDateTime() for 'd' ISO 8601 date (diff)
download	core-98e811528fa2ed87e0b1e2d8bf1fd66ac222702d.tar.gz core-98e811528fa2ed87e0b1e2d8bf1fd66ac222702d.zip