sw: fix crash in SwLayoutFrame::GetContentPos

FindPageFrame might return nullptr See https://crashreport.libreoffice.org/stats/signature/SwLayoutFrame::GetContentPos(Point%20&,bool,bool,SwCursorMoveState%20*,bool) Change-Id: Ic69d26de4ab234ebd6283ace640d689f0ebe8eb3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/136307 Tested-by: Jenkins Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org> (cherry picked from commit 7500c243fea02acbeaddf91f6b48a53d698c1cab) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/136383 Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Xisco Fauli <xiscofauli@libreoffice.org> 2022-06-23 12:27:34 +0200
committer: Caolán McNamara <caolanm@redhat.com> 2022-06-25 21:22:42 +0200
commit: e8763ec437f66926196707b803c60dc7032e6e0c (patch)
tree: 9c01cda97d2ee49db6fa6dff634515ed11d7a59b
parent: external/liborcus: Fix heap-buffer-overflow (diff)
download: core-e8763ec437f66926196707b803c60dc7032e6e0c.tar.gz
core-e8763ec437f66926196707b803c60dc7032e6e0c.zip
1 files changed, 19 insertions, 5 deletions
diff --git a/sw/source/core/layout/trvlfrm.cxx b/sw/source/core/layout/trvlfrm.cxx
index 6942dab6a2ba..375b9fe34fd6 100644
--- a/sw/source/core/layout/trvlfrm.cxx
+++ b/sw/source/core/layout/trvlfrm.cxx
@@ -1290,13 +1290,22 @@ const SwContentFrame *SwLayoutFrame::GetContentPos( Point& rPoint,
                     if( !pStart->GetPrev()->IsLayoutFrame() )
                         return nullptr;
                     pStart = static_cast<const SwLayoutFrame*>(pStart->GetPrev());
-                    pContent = pStart->IsInDocBody()
-                                ? pStart->ContainsContent()
-                                : pStart->FindPageFrame()->FindFirstBodyContent();
+                    if( pStart->IsInDocBody() )
+                        pContent = pStart->ContainsContent();
+                    else
+                    {
+                        const SwPageFrame *pPage = pStart->FindPageFrame();
+                        if( !pPage )
+                            return nullptr;
+                        pContent = pPage->FindFirstBodyContent();
+                    }
                 }
                 if ( !pContent )  // Somewhere down the road we have to start with one!
                 {
-                    pContent = pStart->FindPageFrame()->GetUpper()->ContainsContent();
+                    const SwPageFrame *pPage = pStart->FindPageFrame();
+                    if( !pPage )
+                        return nullptr;
+                    pContent = pPage->GetUpper()->ContainsContent();
                     while ( pContent && !pContent->IsInDocBody() )
                         pContent = pContent->GetNextContentFrame();
                     if ( !pContent )
@@ -1314,7 +1323,12 @@ const SwContentFrame *SwLayoutFrame::GetContentPos( Point& rPoint,
                     pContent = pStart->ContainsContent();
                 }
                 else // Somewhere down the road we have to start with one!
-                    pContent = pStart->FindPageFrame()->GetUpper()->ContainsContent();
+                {
+                    const SwPageFrame *pPage = pStart->FindPageFrame();
+                    if( !pPage )
+                        return nullptr;
+                    pContent = pPage->GetUpper()->ContainsContent();
+                }
             }
             pActual = pContent;
         }
author	Xisco Fauli <xiscofauli@libreoffice.org>	2022-06-23 12:27:34 +0200
committer	Caolán McNamara <caolanm@redhat.com>	2022-06-25 21:22:42 +0200
commit	e8763ec437f66926196707b803c60dc7032e6e0c (patch)
tree	9c01cda97d2ee49db6fa6dff634515ed11d7a59b
parent	external/liborcus: Fix heap-buffer-overflow (diff)
download	core-e8763ec437f66926196707b803c60dc7032e6e0c.tar.gz core-e8763ec437f66926196707b803c60dc7032e6e0c.zip