diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2020-04-03 16:35:36 +0100 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-11-17 19:19:33 +0100 |
| commit | 26f3986c3e7607d3c75c7f9b40be9d7e5914c587 (patch) | |
| tree | 277abf98c18efd5061199b7f7b8639b48eb0bb82 | |
| parent | cid#1473818 Use after free (diff) | |
| download | core-26f3986c3e7607d3c75c7f9b40be9d7e5914c587.tar.gz core-26f3986c3e7607d3c75c7f9b40be9d7e5914c587.zip | |
crashtesting: crash on reexport of tdf118346-1.odg to odg
make a copy of m_pImpGraphicList because if we swap out a svg, the svg filter
may create more temp Graphics which are auto-added to m_pImpGraphicList
invalidating a loop over m_pImpGraphicList
#0 0x00007ffff0d25ae5 in vcl::graphic::Manager::reduceGraphicMemory() (this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:88
#1 0x00007ffff0d25ee9 in vcl::graphic::Manager::registerGraphic(std::shared_ptr<ImpGraphic> const&, rtl::OUString const&)
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>, pImpGraphic=std::shared_ptr<ImpGraphic> (use count 1, weak count 0) = {...})
at vcl/source/graphic/Manager.cxx:139
#2 0x00007ffff0d26406 in vcl::graphic::Manager::newInstance() (this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:184
#3 0x00007ffff0b6735c in Graphic::Graphic() (this=0x7fffffff84f0) at vcl/source/gdi/graph.cxx:182
#4 0x00007fffdc526600 in svgio::svgreader::SvgImageNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x555556817940, rTarget=...) at svgio/source/svgreader/svgimagenode.cxx:219
#5 0x00007fffdc52e75d in svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x55555a6a93d0, rTarget=..., bReferenced=false) at svgio/source/svgreader/svgnode.cxx:529
#6 0x00007fffdc522339 in svgio::svgreader::SvgGNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x55555a6a93d0, rTarget=..., bReferenced=false) at svgio/source/svgreader/svggnode.cxx:106
#7 0x00007fffdc52e75d in svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x55555a6a9070, rTarget=..., bReferenced=false) at svgio/source/svgreader/svgnode.cxx:529
#8 0x00007fffdc522339 in svgio::svgreader::SvgGNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x55555a6a9070, rTarget=..., bReferenced=false) at svgio/source/svgreader/svggnode.cxx:106
#9 0x00007fffdc52e75d in svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x55555a5f9150, rTarget=..., bReferenced=false) at svgio/source/svgreader/svgnode.cxx:529
#10 0x00007fffdc54d19f in svgio::svgreader::SvgSvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const
(this=0x55555a5f9150, rTarget=..., bReferenced=false) at svgio/source/svgreader/svgsvgnode.cxx:304
#11 0x00007fffdc571373 in svgio::svgreader::(anonymous namespace)::XSvgParser::getDecomposition(com::sun::star::uno::Reference<com::sun::star::io::XInputStream> const&, rtl::OUString const&) (this=0x55555a69c6d0, xSVGStream=uno::Reference to (comphelper::SequenceInputStream *) 0x555557480668, aAbsolutePath="")
at svgio/source/svguno/xsvgparser.cxx:160
#12 0x00007ffff0cf849b in VectorGraphicData::ensureSequenceAndRange() (this=0x555556ea7540)
at vcl/source/gdi/vectorgraphicdata.cxx:196
#13 0x00007ffff0cf9124 in VectorGraphicData::getRange() const (this=0x555556ea7540)
at vcl/source/gdi/vectorgraphicdata.cxx:323
#14 0x00007ffff0b74da7 in ImpGraphic::ImplGetPrefSize() const (this=0x5555588b00f0) at vcl/source/gdi/impgraph.cxx:778
#15 0x00007ffff0b76623 in ImpGraphic::ImplWriteEmbedded(SvStream&) (this=0x5555588b00f0, rOStm=...)
at vcl/source/gdi/impgraph.cxx:1235
#16 0x00007ffff0b770a1 in ImpGraphic::ImplSwapOut(SvStream*) (this=0x5555588b00f0, xOStm=0x55555826b7d0)
at vcl/source/gdi/impgraph.cxx:1377
#17 0x00007ffff0b76bdb in ImpGraphic::ImplSwapOut() (this=0x5555588b00f0) at vcl/source/gdi/impgraph.cxx:1328
#18 0x00007ffff0d25c88 in vcl::graphic::Manager::reduceGraphicMemory() (this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:107
#19 0x00007ffff0d25ee9 in vcl::graphic::Manager::registerGraphic(std::shared_ptr<ImpGraphic> const&, rtl::OUString const&)
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>, pImpGraphic=std::shared_ptr<ImpGraphic> (use count 1, weak count 0) = {...})
at vcl/source/graphic/Manager.cxx:139
#20 0x00007ffff0d26406 in vcl::graphic::Manager::newInstance() (this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:184
#21 0x00007ffff0b6735c in Graphic::Graphic() (this=0x555556d5ea68) at vcl/source/gdi/graph.cxx:182
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91650
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 6fa2891da4852716fe62d925ffdbeeb380a2ed66)
Change-Id: I4e1ffcb12ead0d53b7ca2f369154e9c753af77d8
| -rw-r--r-- | vcl/source/graphic/Manager.cxx | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/vcl/source/graphic/Manager.cxx b/vcl/source/graphic/Manager.cxx index c2146a680e8a..a7359982b9f2 100644 --- a/vcl/source/graphic/Manager.cxx +++ b/vcl/source/graphic/Manager.cxx @@ -72,7 +72,12 @@ Manager::Manager() void Manager::reduceGraphicMemory() { - for (ImpGraphic* pEachImpGraphic : m_pImpGraphicList) + // make a copy of m_pImpGraphicList because if we swap out a svg, the svg + // filter may create more temp Graphics which are auto-added to + // m_pImpGraphicList invalidating a loop over m_pImpGraphicList, e.g. + // reexport of tdf118346-1.odg + auto const aImpGraphicList = m_pImpGraphicList; + for (ImpGraphic* pEachImpGraphic : aImpGraphicList) { if (mnUsedSize < mnMemoryLimit * 0.7) return; |