From 4b493442cc81d988b95ddab1b818de0aa0e7b7f9 Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Mon, 12 Jul 2021 16:21:04 +0100 Subject: crashtesting: UaF on layout of ooo98566-1.odt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit in: sw/source/core/text/itrform2.cxx:2643 SwTextFormatter::NewFlyCntPortion at: pFly = static_cast(pHint)->GetFlyFrame(pFrame) (gdb) print m_pCurr $2 = (SwLineLayout *) 0x55ea220a0020 after calling GetFlyFrame m_pCurr is unchanged and we will call m_pCurr->MaxAscentDescent on it. But m_pCurr is deleted during GetFlyFrame by... #18 0x00007f98c5cd337f in SwLineLayout::~SwLineLayout() (this=this@entry=0x55ea220a0020, __in_chrg=) at source/libo-core/sw/source/core/text/portxt.hxx:26 #19 0x00007f98c5cd347a in SwParaPortion::~SwParaPortion() (this=0x55ea220a0020, __in_chrg=) at source/libo-core/sw/source/core/text/porlay.cxx:2491 #20 0x00007f98c5cd3485 in SwParaPortion::~SwParaPortion() (this=0x55ea220a0020, __in_chrg=) at source/libo-core/sw/source/core/text/porlay.cxx:2491 #21 0x00007f98c5d05e70 in std::default_delete::operator()(SwParaPortion*) const (__ptr=, this=) at /usr/include/c++/8/bits/unique_ptr.h:75 #22 0x00007f98c5d05e70 in std::unique_ptr >::reset(SwParaPortion*) (__p=, this=) at /usr/include/c++/8/bits/unique_ptr.h:382 #23 0x00007f98c5d05e70 in SwTextLine::SetPara(SwParaPortion*, bool) (bDelete=true, pNew=0x0, this=) at source/libo-core/sw/source/core/text/txtcache.hxx:45 #24 0x00007f98c5d05e70 in SwTextFrame::ClearPara() (this=this@entry=0x55ea21302b60) at source/libo-core/sw/source/core/text/txtcache.cxx:113 #25 0x00007f98c5d1be89 in SwTextFrame::Init() (this=this@entry=0x55ea21302b60) at source/libo-core/sw/source/core/text/txtfrm.cxx:757 #26 0x00007f98c5d2630c in SwTextFrame::Prepare(PrepareHint, void const*, bool) (this=0x55ea21302b60, ePrep=PrepareHint::FlyFrameArrive, pVoid=, bNotify=) at source/libo-core/sw/source/core/text/txtfrm.cxx:3086 #27 0x00007f98c5b1edb8 in SwFlyInContentFrame::NotifyBackground(SwPageFrame*, SwRect const&, PrepareHint) (this=, rRect=..., eHint=) at source/libo-core/sw/inc/anchoredobject.hxx:205 #28 0x00007f98c5b261a6 in Notify(SwFlyFrame*, SwPageFrame*, SwRect const&, SwRect const*) (pFly=pFly@entry=0x55ea21a18d60, pOld=0x0, rOld=SwRect = {...}, pOldPrt=pOldPrt@entry=0x7ffeb50390f8) at source/libo-core/sw/source/core/inc/frame.hxx:1177 #29 0x00007f98c5b2ceca in SwFlyNotify::~SwFlyNotify() (this=0x7ffeb50390d0, __in_chrg=) at source/libo-core/sw/source/core/layout/frmtool.cxx:648 #30 0x00007f98c5b1fa25 in SwFlyInContentFrame::MakeAll(OutputDevice*) (this=0x55ea21a18d60) at source/libo-core/sw/source/core/inc/frmtool.hxx:419 #31 0x00007f98c5aec3a9 in SwFrame::PrepareMake(OutputDevice*) (this=0x55ea21a18d60, pRenderContext=0x55ea212bc4c0) at source/libo-core/sw/source/core/layout/calcmove.cxx:375 #32 0x00007f98c5b17ad2 in SwFlyFrame::Calc(OutputDevice*) const (this=, pRenderContext=) at source/libo-core/sw/source/core/layout/fly.cxx:2890 #33 0x00007f98c5b636c5 in SwObjectFormatter::FormatLayout_(SwLayoutFrame&) (this=this@entry=0x55ea2244d150, _rLayoutFrame=...) at source/libo-core/include/rtl/ref.hxx:206 #34 0x00007f98c5b6413e in SwObjectFormatter::FormatObj_(SwAnchoredObject&) (this=this@entry=0x55ea2244d150, _rAnchoredObj=...) at source/libo-core/sw/source/core/layout/objectformatter.cxx:296 #35 0x00007f98c5b6705b in SwObjectFormatterTextFrame::DoFormatObj(SwAnchoredObject&, bool) (this=0x55ea2244d150, _rAnchoredObj=..., _bCheckForMovedFwd=) at source/libo-core/sw/source/core/layout/objectformattertxtfrm.cxx:136 #36 0x00007f98c5b6359f in SwObjectFormatter::FormatObj(SwAnchoredObject&, SwFrame*, SwPageFrame const*) (_rAnchoredObj=..., _pAnchorFrame=, _pPageFrame=) at source/libo-core/sw/source/core/layout/objectformatter.cxx:190 #37 0x00007f98c5d717aa in SwTextFlyCnt::GetFlyFrame_(SwFrame const*) (this=this@entry=0x55ea214d8810, pCurrFrame=pCurrFrame@entry=0x55ea21302b60) at source/libo-core/sw/source/core/inc/frame.hxx:1177 #38 0x00007f98c5cb511b in SwTextFlyCnt::GetFlyFrame(SwFrame const*) (pCurrFrame=0x55ea21302b60, this=0x55ea214d8810) at source/libo-core/sw/inc/txtflcnt.hxx:48 #39 0x00007f98c5cb511b in SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const (this=this@entry=0x7ffeb503a6b0, rInf=..., pHint=0x55ea214d8810) at source/libo-core/sw/source/core/text/itrform2.cxx:2643 (gdb) print this (SwLinePortion * const) 0x55ea220a0020 The SwTextFrame of SwTextFrame::ClearPara is the same pFrame/m_pFrame at SwTextFormatter::NewFlyCntPortion ClearPara is not called if the SwTextFrame is "Locked", so try using that to protect GetFlyFrame Change-Id: Ia9dcb1f345f6953d995f2acf1ec23492d1680364 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118784 Tested-by: Jenkins Tested-by: Caolán McNamara Reviewed-by: Caolán McNamara (cherry picked from commit 7e016df70d4ceb6c90ec5f1b129b50a65ff07505) --- sw/source/core/text/itrform2.cxx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx index e21c06c8fd23..8f3f8284d850 100755 --- a/sw/source/core/text/itrform2.cxx +++ b/sw/source/core/text/itrform2.cxx @@ -2520,7 +2520,11 @@ SwFlyCntPortion *SwTextFormatter::NewFlyCntPortion( SwTextFormatInfo &rInf, SwFlyInContentFrame *pFly; SwFrameFormat* pFrameFormat = static_cast(pHint)->GetFlyCnt().GetFrameFormat(); if( RES_FLYFRMFMT == pFrameFormat->Which() ) + { + // set Lock pFrame to avoid m_pCurr getting deleted + TextFrameLockGuard aGuard(m_pFrame); pFly = static_cast(pHint)->GetFlyFrame(pFrame); + } else pFly = nullptr; // aBase is the document-global position, from which the new extra portion is placed -- cgit