diff options
author | Michael Stahl <mstahl@redhat.com> | 2015-01-09 22:48:06 +0100 |
---|---|---|
committer | Michael Stahl <mstahl@redhat.com> | 2015-01-10 01:16:47 +0100 |
commit | c6dc3b9f9adb292ae42ba246082bc9dcb1445c6c (patch) | |
tree | a0979c5fb611a38aa25171879c957d807432826b /sc | |
parent | vcl: CairoTextRender::nTextColor_ to mnTextColor (diff) | |
download | core-c6dc3b9f9adb292ae42ba246082bc9dcb1445c6c.tar.gz core-c6dc3b9f9adb292ae42ba246082bc9dcb1445c6c.zip |
sc: fix use-after-free race in ScCellRangesBase
Probably 03cca068ed901d1862c440a6f414d17609785974 was not sufficient,
because the ~ScCellRangesBase may access a deleted ScDocument after the
early return.
READ of size 8 at 0x61b000191cb0 thread T7 (cppu_threadpool)
#0 0x2b3c8fd7c8b3 in ScDocument::RemoveUnoObject(SfxListener&) sc/source/core/data/documen3.cxx:863:9
#1 0x2b3c94517824 in ScCellRangesBase::~ScCellRangesBase() sc/source/ui/unoobj/cellsuno.cxx:1467:9
#2 0x2b3c9459cf98 in ScCellRangeObj::~ScCellRangeObj() sc/source/ui/unoobj/cellsuno.cxx:4786:1
#3 0x2b3c945eca28 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1
#4 0x2b3c945ecef1 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6087:1
#5 0x2b3c945ed093 in non-virtual thunk to ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1
#6 0x2b3c56cb35ec in cppu::OWeakObject::release() cppuhelper/source/weak.cxx:205:9
#7 0x2b3c94523d63 in ScCellRangesBase::release() sc/source/ui/unoobj/cellsuno.cxx:1772:5
#8 0x2b3c945a77ec in ScCellRangeObj::release() sc/source/ui/unoobj/cellsuno.cxx:4835:5
#9 0x2b3c945f842c in ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6128:5
#10 0x2b3c945fb953 in non-virtual thunk to ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6129:1
#11 0x2b3c7f305faa in bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*) bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:42:5
freed by thread T14 (cppu_threadpool) here:
#0 0x43436b in operator delete(void*) (/data/lo/build_clang/instdir/program/soffice.bin+0x43436b)
#1 0x2b3c9382462e in ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2722:1
#2 0x2b3c93824d46 in virtual thunk to ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2755:1
#3 0x2b3c58e2058a in SvRefBase::ReleaseRef() include/tools/ref.hxx:194:29
#4 0x2b3c58e12726 in tools::SvRef<SfxObjectShell>::~SvRef() include/tools/ref.hxx:52:24
#5 0x2b3c5a8a8f99 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:247:5
#6 0x2b3c5a8a9141 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:246:5
#7 0x2b3c5a7b1905 in SfxBaseModel::dispose() sfx2/source/doc/sfxbasemodel.cxx:795:5
#8 0x2b3c5a7c8146 in SfxBaseModel::close(unsigned char) sfx2/source/doc/sfxbasemodel.cxx:1418:5
Change-Id: Ia041dc6596d1b0b6b979a20fa93e1490c657e15b
Diffstat (limited to 'sc')
-rw-r--r-- | sc/source/ui/unoobj/cellsuno.cxx | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sc/source/ui/unoobj/cellsuno.cxx b/sc/source/ui/unoobj/cellsuno.cxx index 5228babdefe7..6d1e54a06395 100644 --- a/sc/source/ui/unoobj/cellsuno.cxx +++ b/sc/source/ui/unoobj/cellsuno.cxx @@ -1550,6 +1550,12 @@ void ScCellRangesBase::Notify( SfxBroadcaster&, const SfxHint& rHint ) uno::Reference<uno::XInterface> const xThis(m_wThis); if (!xThis.is()) { // fdo#72695: if UNO object is already dead, don't revive it with event + if (dynamic_cast<const SfxSimpleHint*>(&rHint) && + SFX_HINT_DYING == static_cast<const SfxSimpleHint&>(rHint).GetId()) + { // if the document dies, must reset to avoid crash in dtor! + ForgetCurrentAttrs(); + pDocShell = nullptr; + } return; } if ( dynamic_cast<const ScUpdateRefHint*>(&rHint) ) |