summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2022-04-01 16:52:06 +0100
committerMichael Stahl <michael.stahl@allotropia.de>2022-05-13 14:14:27 +0200
commit951592a21ccee1126de35ba071e31f80d906fb39 (patch)
tree3d09f8fc9850d4abb0b2db26cfbc2c9aabec453b
parentforcepoint#93 fix crash on layout of specific rtf (diff)
downloadcore-951592a21ccee1126de35ba071e31f80d906fb39.tar.gz
core-951592a21ccee1126de35ba071e31f80d906fb39.zip
forcepoint#99 SwTextFormatter unaware that FirstOfBorderMerge was deleted
READ of size 8 at 0x606000a49e50 thread T0 #0 0x7f7ab6214bf5 in SwPosSize::Height() const /home/caolan/LibreOffice/core-asan/sw/source/core/text/possiz.hxx:49:37 #1 0x7f7ab636c311 in SwTextFormatter::MergeCharacterBorder(SwLinePortion&, SwLinePortion const*, SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:2807:43 #2 0x7f7ab636ae08 in SwTextFormatter::InsertPortion(SwTextFormatInfo&, SwLinePortion*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:354:13 #3 0x7f7ab6371db1 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:709:9 #4 0x7f7ab638b2ac in SwTextFormatter::FormatLine(o3tl::strong_int<int, Tag_TextFrameIndex>) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:1701:9 #5 0x7f7ab62a8ad1 in SwTextFrame::FormatLine(SwTextFormatter&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1212:44 #6 0x7f7ab62af1cc in SwTextFrame::Format_(SwTextFormatter&, SwTextFormatInfo&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1571:23 #7 0x7f7ab62b1f17 in SwTextFrame::Format_(OutputDevice*, SwParaPortion*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1743:5 #8 0x7f7ab62b5260 in SwTextFrame::Format(OutputDevice*, SwBorderAttrs const*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1932:17 #9 0x7f7ab5dbdabd in SwContentFrame::MakeAll(OutputDevice*) /home/caolan/LibreOffice/core-asan/sw/source/core/layout/calcmove.cxx:1514:17 0x606000a49e50 is located 16 bytes inside of 56-byte region [0x606000a49e40,0x606000a49e78) freed by thread T0 here: #0 0x4fe1f7 in operator delete(void*) (/home/caolan/LibreOffice/core-asan/instdir/program/soffice.bin+0x4fe1f7) #1 0x7f7ab6486d35 in SwTextPortion::~SwTextPortion() /home/caolan/LibreOffice/core-asan/sw/source/core/text/portxt.hxx:26:7 #2 0x7f7ab63da0c9 in SwLineLayout::CalcLine(SwTextFormatter&, SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/porlay.cxx:430:21 #3 0x7f7ab6435413 in SwMultiPortion::CalcSize(SwTextFormatter&, SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/pormulti.cxx:75:15 #4 0x7f7ab6457749 in SwTextFormatter::BuildMultiPortion(SwTextFormatInfo&, SwMultiPortion&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/pormulti.cxx:2090:16 #5 0x7f7ab636f12c in SwTextFormatter::BuildPortions(SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:550:21 #6 0x7f7ab638b2ac in SwTextFormatter::FormatLine(o3tl::strong_int<int, Tag_TextFrameIndex>) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:1701:9 #7 0x7f7ab62a8ad1 in SwTextFrame::FormatLine(SwTextFormatter&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1212:44 #8 0x7f7ab62af1cc in SwTextFrame::Format_(SwTextFormatter&, SwTextFormatInfo&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1571:23 #9 0x7f7ab62b1f17 in SwTextFrame::Format_(OutputDevice*, SwParaPortion*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1743:5 #10 0x7f7ab62b5260 in SwTextFrame::Format(OutputDevice*, SwBorderAttrs const*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1932:17 #11 0x7f7ab5dbdabd in SwContentFrame::MakeAll(OutputDevice*) /home/caolan/LibreOffice/core-asan/sw/source/core/layout/calcmove.cxx:1514:17 similar seen in the past as: commit 96acebb72211b4718eb3038c427df37b55b17b0b Date: Tue May 14 01:49:03 2019 +0800 tdf#124937 reset m_pFirstOfBorderMerge before truncate. commit ecd855794b22c0f7e6fb2f362b566c4d9c5f624a Date: Mon Jan 15 22:29:31 2018 +0100 tdf#114536 sw: fix use-after-free in SwTextFormatter::MergeCharacterBorder() Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132439 Tested-by: Jenkins Reviewed-by: Miklos Vajna <vmiklos@collabora.com> (cherry picked from commit b46baea4d1cce81c56ee0d82fbdc352921445fa7) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132380 Reviewed-by: Michael Stahl <michael.stahl@allotropia.de> (cherry picked from commit 0a34ac386187c5ca328aebc27851c2a2ff38f293) (cherry picked from commit 1737ee2c89f7a103f1a0d77f2d3548dda3c35b8e) Change-Id: Iad855f382a0daf50dac2537d4a91bfeaa9ff3799
-rw-r--r--sw/qa/extras/layout/data/forcepoint99.htmlbin0 -> 14034 bytes
-rw-r--r--sw/qa/extras/layout/layout.cxx8
-rwxr-xr-xsw/source/core/text/itrform2.cxx15
-rw-r--r--sw/source/core/text/itrform2.hxx2
-rw-r--r--sw/source/core/text/porlay.cxx4
5 files changed, 24 insertions, 5 deletions
diff --git a/sw/qa/extras/layout/data/forcepoint99.html b/sw/qa/extras/layout/data/forcepoint99.html
new file mode 100644
index 000000000000..6eb36a616e26
--- /dev/null
+++ b/sw/qa/extras/layout/data/forcepoint99.html
Binary files differ
diff --git a/sw/qa/extras/layout/layout.cxx b/sw/qa/extras/layout/layout.cxx
index 97950bd8d497..81c1eb53e716 100644
--- a/sw/qa/extras/layout/layout.cxx
+++ b/sw/qa/extras/layout/layout.cxx
@@ -300,6 +300,14 @@ void SwLayoutWriter::testTdf118058()
pDoc->getIDocumentLayoutAccess().GetCurrentViewShell()->CalcLayout();
}
+//just care it doesn't crash/assert
+#if 0 // no createSwWebDoc
+CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testForcepoint99)
+{
+ createSwWebDoc(DATA_DIRECTORY, "forcepoint99.html");
+}
+#endif
+
void SwLayoutWriter::testTdf117188()
{
createDoc("tdf117188.docx");
diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx
index 8f3f8284d850..f1b179518f4f 100755
--- a/sw/source/core/text/itrform2.cxx
+++ b/sw/source/core/text/itrform2.cxx
@@ -148,6 +148,16 @@ sal_uInt16 SwTextFormatter::GetFrameRstHeight() const
return sal_uInt16( nHeight );
}
+bool SwTextFormatter::ClearIfIsFirstOfBorderMerge(const SwLinePortion* pPortion)
+{
+ if (pPortion == m_pFirstOfBorderMerge)
+ {
+ m_pFirstOfBorderMerge = nullptr;
+ return true;
+ }
+ return false;
+}
+
SwLinePortion *SwTextFormatter::Underflow( SwTextFormatInfo &rInf )
{
// Save values and initialize rInf
@@ -276,11 +286,8 @@ SwLinePortion *SwTextFormatter::Underflow( SwTextFormatInfo &rInf )
SwLinePortion* pNext = pPor->GetPortion();
while (pNext)
{
- if (pNext == m_pFirstOfBorderMerge)
- {
- m_pFirstOfBorderMerge = nullptr;
+ if (ClearIfIsFirstOfBorderMerge(pNext))
break;
- }
pNext = pNext->GetPortion();
}
pPor->Truncate();
diff --git a/sw/source/core/text/itrform2.hxx b/sw/source/core/text/itrform2.hxx
index ff430b8616d1..08b0582b1569 100644
--- a/sw/source/core/text/itrform2.hxx
+++ b/sw/source/core/text/itrform2.hxx
@@ -239,6 +239,8 @@ public:
* @param rInf contain information
**/
void MergeCharacterBorder( SwLinePortion& rPortion, SwLinePortion const *pPrev, SwTextFormatInfo& rInf );
+
+ bool ClearIfIsFirstOfBorderMerge(SwLinePortion const *pPortion);
};
#endif
diff --git a/sw/source/core/text/porlay.cxx b/sw/source/core/text/porlay.cxx
index 1968e48a30ab..be7a30c3468d 100644
--- a/sw/source/core/text/porlay.cxx
+++ b/sw/source/core/text/porlay.cxx
@@ -369,7 +369,9 @@ void SwLineLayout::CalcLine( SwTextFormatter &rLine, SwTextFormatInfo &rInf )
if( !GetAscent() )
SetAscent( pPos->GetAscent() );
}
- delete pLast->Cut( pPos );
+ SwLinePortion* pPortion = pLast->Cut( pPos );
+ rLine.ClearIfIsFirstOfBorderMerge(pPortion);
+ delete pPortion;
pPos = pLast->GetPortion();
continue;
}