diff options
author | Caolán McNamara <caolanm@redhat.com> | 2022-04-01 16:52:06 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2022-05-17 15:47:05 +0200 |
commit | 9939fcca9cd495dd820fe8beef207b833cca000b (patch) | |
tree | 4ed20e3c70283119ee2371d0b2752d631543d0f4 | |
parent | forcepoint#93 fix crash on layout of specific rtf (diff) | |
download | core-9939fcca9cd495dd820fe8beef207b833cca000b.tar.gz core-9939fcca9cd495dd820fe8beef207b833cca000b.zip |
forcepoint#99 SwTextFormatter unaware that FirstOfBorderMerge was deleted
READ of size 8 at 0x606000a49e50 thread T0
#0 0x7f7ab6214bf5 in SwPosSize::Height() const /home/caolan/LibreOffice/core-asan/sw/source/core/text/possiz.hxx:49:37
#1 0x7f7ab636c311 in SwTextFormatter::MergeCharacterBorder(SwLinePortion&, SwLinePortion const*, SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:2807:43
#2 0x7f7ab636ae08 in SwTextFormatter::InsertPortion(SwTextFormatInfo&, SwLinePortion*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:354:13
#3 0x7f7ab6371db1 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:709:9
#4 0x7f7ab638b2ac in SwTextFormatter::FormatLine(o3tl::strong_int<int, Tag_TextFrameIndex>) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:1701:9
#5 0x7f7ab62a8ad1 in SwTextFrame::FormatLine(SwTextFormatter&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1212:44
#6 0x7f7ab62af1cc in SwTextFrame::Format_(SwTextFormatter&, SwTextFormatInfo&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1571:23
#7 0x7f7ab62b1f17 in SwTextFrame::Format_(OutputDevice*, SwParaPortion*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1743:5
#8 0x7f7ab62b5260 in SwTextFrame::Format(OutputDevice*, SwBorderAttrs const*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1932:17
#9 0x7f7ab5dbdabd in SwContentFrame::MakeAll(OutputDevice*) /home/caolan/LibreOffice/core-asan/sw/source/core/layout/calcmove.cxx:1514:17
0x606000a49e50 is located 16 bytes inside of 56-byte region [0x606000a49e40,0x606000a49e78)
freed by thread T0 here:
#0 0x4fe1f7 in operator delete(void*) (/home/caolan/LibreOffice/core-asan/instdir/program/soffice.bin+0x4fe1f7)
#1 0x7f7ab6486d35 in SwTextPortion::~SwTextPortion() /home/caolan/LibreOffice/core-asan/sw/source/core/text/portxt.hxx:26:7
#2 0x7f7ab63da0c9 in SwLineLayout::CalcLine(SwTextFormatter&, SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/porlay.cxx:430:21
#3 0x7f7ab6435413 in SwMultiPortion::CalcSize(SwTextFormatter&, SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/pormulti.cxx:75:15
#4 0x7f7ab6457749 in SwTextFormatter::BuildMultiPortion(SwTextFormatInfo&, SwMultiPortion&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/pormulti.cxx:2090:16
#5 0x7f7ab636f12c in SwTextFormatter::BuildPortions(SwTextFormatInfo&) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:550:21
#6 0x7f7ab638b2ac in SwTextFormatter::FormatLine(o3tl::strong_int<int, Tag_TextFrameIndex>) /home/caolan/LibreOffice/core-asan/sw/source/core/text/itrform2.cxx:1701:9
#7 0x7f7ab62a8ad1 in SwTextFrame::FormatLine(SwTextFormatter&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1212:44
#8 0x7f7ab62af1cc in SwTextFrame::Format_(SwTextFormatter&, SwTextFormatInfo&, bool) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1571:23
#9 0x7f7ab62b1f17 in SwTextFrame::Format_(OutputDevice*, SwParaPortion*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1743:5
#10 0x7f7ab62b5260 in SwTextFrame::Format(OutputDevice*, SwBorderAttrs const*) /home/caolan/LibreOffice/core-asan/sw/source/core/text/frmform.cxx:1932:17
#11 0x7f7ab5dbdabd in SwContentFrame::MakeAll(OutputDevice*) /home/caolan/LibreOffice/core-asan/sw/source/core/layout/calcmove.cxx:1514:17
similar seen in the past as:
commit 96acebb72211b4718eb3038c427df37b55b17b0b
Date: Tue May 14 01:49:03 2019 +0800
tdf#124937 reset m_pFirstOfBorderMerge before truncate.
commit ecd855794b22c0f7e6fb2f362b566c4d9c5f624a
Date: Mon Jan 15 22:29:31 2018 +0100
tdf#114536 sw: fix use-after-free in SwTextFormatter::MergeCharacterBorder()
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132439
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
(cherry picked from commit b46baea4d1cce81c56ee0d82fbdc352921445fa7)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132380
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 0a34ac386187c5ca328aebc27851c2a2ff38f293)
Change-Id: Iad855f382a0daf50dac2537d4a91bfeaa9ff3799
-rw-r--r-- | sw/qa/extras/layout/data/forcepoint99.html | bin | 0 -> 14034 bytes | |||
-rw-r--r-- | sw/qa/extras/layout/layout.cxx | 8 | ||||
-rw-r--r-- | sw/source/core/text/itrform2.cxx | 15 | ||||
-rw-r--r-- | sw/source/core/text/itrform2.hxx | 2 | ||||
-rw-r--r-- | sw/source/core/text/porlay.cxx | 4 |
5 files changed, 24 insertions, 5 deletions
diff --git a/sw/qa/extras/layout/data/forcepoint99.html b/sw/qa/extras/layout/data/forcepoint99.html Binary files differnew file mode 100644 index 000000000000..6eb36a616e26 --- /dev/null +++ b/sw/qa/extras/layout/data/forcepoint99.html diff --git a/sw/qa/extras/layout/layout.cxx b/sw/qa/extras/layout/layout.cxx index bd0e1b07223a..15ebaa608fd4 100644 --- a/sw/qa/extras/layout/layout.cxx +++ b/sw/qa/extras/layout/layout.cxx @@ -2331,6 +2331,14 @@ CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testForcepoint94) } #endif +//just care it doesn't crash/assert +#if 0 // no createSwWebDoc +CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testForcepoint99) +{ + createSwWebDoc(DATA_DIRECTORY, "forcepoint99.html"); +} +#endif + CPPUNIT_PLUGIN_IMPLEMENT(); /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx index f689bf2d962b..16fb91719651 100644 --- a/sw/source/core/text/itrform2.cxx +++ b/sw/source/core/text/itrform2.cxx @@ -143,6 +143,16 @@ sal_uInt16 SwTextFormatter::GetFrameRstHeight() const return sal_uInt16( nHeight ); } +bool SwTextFormatter::ClearIfIsFirstOfBorderMerge(const SwLinePortion* pPortion) +{ + if (pPortion == m_pFirstOfBorderMerge) + { + m_pFirstOfBorderMerge = nullptr; + return true; + } + return false; +} + SwLinePortion *SwTextFormatter::Underflow( SwTextFormatInfo &rInf ) { // Save values and initialize rInf @@ -271,11 +281,8 @@ SwLinePortion *SwTextFormatter::Underflow( SwTextFormatInfo &rInf ) SwLinePortion* pNext = pPor->GetNextPortion(); while (pNext) { - if (pNext == m_pFirstOfBorderMerge) - { - m_pFirstOfBorderMerge = nullptr; + if (ClearIfIsFirstOfBorderMerge(pNext)) break; - } pNext = pNext->GetNextPortion(); } pPor->Truncate(); diff --git a/sw/source/core/text/itrform2.hxx b/sw/source/core/text/itrform2.hxx index 2e6e88587bdc..573652148658 100644 --- a/sw/source/core/text/itrform2.hxx +++ b/sw/source/core/text/itrform2.hxx @@ -238,6 +238,8 @@ public: * @param rInf contain information **/ void MergeCharacterBorder( SwLinePortion& rPortion, SwLinePortion const *pPrev, SwTextFormatInfo& rInf ); + + bool ClearIfIsFirstOfBorderMerge(SwLinePortion const *pPortion); }; #endif diff --git a/sw/source/core/text/porlay.cxx b/sw/source/core/text/porlay.cxx index 06a4e5f4b7c7..f5bfeaf142e1 100644 --- a/sw/source/core/text/porlay.cxx +++ b/sw/source/core/text/porlay.cxx @@ -397,7 +397,9 @@ void SwLineLayout::CalcLine( SwTextFormatter &rLine, SwTextFormatInfo &rInf ) if( !GetAscent() ) SetAscent( pPos->GetAscent() ); } - delete pLast->Cut( pPos ); + SwLinePortion* pPortion = pLast->Cut( pPos ); + rLine.ClearIfIsFirstOfBorderMerge(pPortion); + delete pPortion; pPos = pLast->GetNextPortion(); continue; } |