From 382b82541a2e4d83197bd0b20fc5fc40bb4313e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Thu, 15 Sep 2022 11:30:54 +0100 Subject: [PATCH] cid#1500440 Use after free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit this is the inline starmath editing where you can edit the formula directly in the view window instead of the command window. Currently requires experimental to be enabled. reproduce by clicking in initially empty formula and enter a character. In practice the deleted pos.pSelectedNode is not actually used-after-free in SmCursor::FindPositionInLineList because it is not found by the std::find of pLineList. Change-Id: I57476a8eb073914099c5026dd33dc75b20288d52 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/140003 Tested-by: Jenkins Reviewed-by: Caolán McNamara --- starmath/source/cursor.cxx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/starmath/source/cursor.cxx b/starmath/source/cursor.cxx index 52621d360c80..fc1e3c5ecb7b 100644 --- a/starmath/source/cursor.cxx +++ b/starmath/source/cursor.cxx @@ -303,6 +303,7 @@ void SmCursor::InsertNodes(std::unique_ptr pNewNodes){ //Find top most of line that holds position SmNode* pLine = FindTopMostNodeInLine(pos.pSelectedNode); + const bool bSelectedIsTopMost = pLine == pos.pSelectedNode; //Find line parent and line index in parent SmStructureNode* pLineParent = pLine->GetParent(); @@ -311,10 +312,11 @@ void SmCursor::InsertNodes(std::unique_ptr pNewNodes){ //Convert line to list std::unique_ptr pLineList(new SmNodeList); - NodeToList(pLine, *pLineList); + NodeToList(pLine, *pLineList); // deletes pLine, potentially deleting pos.pSelectedNode //Find iterator for place to insert nodes - SmNodeList::iterator it = FindPositionInLineList(pLineList.get(), pos); + SmNodeList::iterator it = bSelectedIsTopMost ? pLineList->begin() + : FindPositionInLineList(pLineList.get(), pos); //Insert all new nodes SmNodeList::iterator newIt,