cid#1500440 Use after free

this is the inline starmath editing where you can edit the formula directly in the view window instead of the command window. Currently requires experimental to be enabled. reproduce by clicking in initially empty formula and enter a character. In practice the deleted pos.pSelectedNode is not actually used-after-free in SmCursor::FindPositionInLineList because it is not found by the std::find of pLineList. Change-Id: I57476a8eb073914099c5026dd33dc75b20288d52 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/140003 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
2022-09-15 11:30:54 +01:00
parent 0d8813dc5c
commit 382b82541a
1 changed files with 4 additions and 2 deletions
--- a/starmath/source/cursor.cxx
+++ b/starmath/source/cursor.cxx
@@ -303,6 +303,7 @@ void SmCursor::InsertNodes(std::unique_ptr<SmNodeList> pNewNodes){

    //Find top most of line that holds position
    SmNode* pLine = FindTopMostNodeInLine(pos.pSelectedNode);
+    const bool bSelectedIsTopMost = pLine == pos.pSelectedNode;

    //Find line parent and line index in parent
    SmStructureNode* pLineParent = pLine->GetParent();
@@ -311,10 +312,11 @@ void SmCursor::InsertNodes(std::unique_ptr<SmNodeList> pNewNodes){

    //Convert line to list
    std::unique_ptr<SmNodeList> pLineList(new SmNodeList);
-    NodeToList(pLine, *pLineList);
+    NodeToList(pLine, *pLineList); // deletes pLine, potentially deleting pos.pSelectedNode

    //Find iterator for place to insert nodes
-    SmNodeList::iterator it = FindPositionInLineList(pLineList.get(), pos);
+    SmNodeList::iterator it = bSelectedIsTopMost ? pLineList->begin()
+                                                 : FindPositionInLineList(pLineList.get(), pos);

    //Insert all new nodes
    SmNodeList::iterator newIt,