mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ASan heap-use-after-free

Browse Source 
...when opening a document via "File - Open..." with "Tools - Options... -
LibreOffice - General - Open/Save Dialogs - Use LibreOffice dialogs" enabled:

> ==7004==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700023a370 at pc 0x7f88c788db4a bp 0x7ffd8c7d0020 sp 0x7ffd8c7d0018
> READ of size 8 at 0x61700023a370 thread T0
>  #0 in rtl::Reference<PlacesListBox>::get() const at include/rtl/ref.hxx:171:16
>  #1 in VclPtr<PlacesListBox>::operator bool() const at include/vcl/vclptr.hxx:187:28
>  #2 in CustomContainer::GetFocus() at fpicker/source/office/iodlg.cxx:433:39
>  #3 in vcl::Window::CompatGetFocus() at vcl/source/window/window.cxx:3731:5
>  #4 in vcl::Window::ImplGrabFocus(GetFocusFlags) at vcl/source/window/mouse.cxx:380:17
>  #5 in vcl::Window::GrabFocus() at vcl/source/window/window.cxx:2991:5
>  #6 in vcl::Window::dispose() at vcl/source/window/window.cxx:448:26
>  #7 in Control::dispose() at vcl/source/control/ctrl.cxx:62:13
>  #8 in SvtFileView::dispose() at svtools/source/contnr/fileview.cxx:879:14
[...]
> 0x61700023a370 is located 496 bytes inside of 648-byte region [0x61700023a180,0x61700023a408)
> freed by thread T0 here:
>  #0 in operator delete(void*, unsigned long) at llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3
>  #1 in std::default_delete<SvtExpFileDlg_Impl>::operator()(SvtExpFileDlg_Impl*) const at gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/10.0.0/../../../../include/c++/10.0.0/bits/unique_ptr.h:81:2
>  #2 in std::__uniq_ptr_impl<SvtExpFileDlg_Impl, std::default_delete<SvtExpFileDlg_Impl> >::reset(SvtExpFileDlg_Impl*) at gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/10.0.0/../../../../include/c++/10.0.0/bits/unique_ptr.h:178:4
>  #3 in std::unique_ptr<SvtExpFileDlg_Impl, std::default_delete<SvtExpFileDlg_Impl> >::reset(SvtExpFileDlg_Impl*) at gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/10.0.0/../../../../include/c++/10.0.0/bits/unique_ptr.h:444:7
>  #4 in SvtFileDialog::dispose() at fpicker/source/office/iodlg.cxx:523:11
[...]

Change-Id: I022eac69123d87f75bda5067a672496030e1a8ec
Reviewed-on: https://gerrit.libreoffice.org/78199
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
This commit is contained in:
Stephan Bergmann
2019-08-27 16:41:39 +02:00
parent 084a263049
commit 83c004d9b8
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
fpicker/source/office/iodlg.cxx
View File

@@ -520,8 +520,8 @@ void SvtFileDialog::dispose()
batch->commit();
}
pImpl.reset();
_pFileView.disposeAndClear();
pImpl.reset();
_pSplitter.disposeAndClear();
_pContainer.disposeAndClear();
_pPrevBmp.disposeAndClear();