From ac6c7b4f826f053ce0ebe496b906a963c8c52342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Mon, 28 Apr 2025 21:29:09 +0100 Subject: [PATCH] ofz#409354664 Heap-use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit there is no DeInitVCL in fuzzing, so if the BufferedDecompositionFlusher thread is started nothing causes it to exit before _exit. Change-Id: I62463ce8126a0cf0c67f4218bdf66a140f3a021d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/184731 Tested-by: Jenkins Reviewed-by: Caolán McNamara --- .../primitive2d/BufferedDecompositionGroupPrimitive2D.cxx | 8 ++++++++ .../primitive2d/BufferedDecompositionPrimitive2D.cxx | 8 ++++++++ .../primitive2d/BufferedDecompositionGroupPrimitive2D.hxx | 2 +- .../primitive2d/BufferedDecompositionPrimitive2D.hxx | 2 +- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/drawinglayer/source/primitive2d/BufferedDecompositionGroupPrimitive2D.cxx b/drawinglayer/source/primitive2d/BufferedDecompositionGroupPrimitive2D.cxx index 0662bc155187..ae83c158f2ba 100644 --- a/drawinglayer/source/primitive2d/BufferedDecompositionGroupPrimitive2D.cxx +++ b/drawinglayer/source/primitive2d/BufferedDecompositionGroupPrimitive2D.cxx @@ -19,6 +19,7 @@ #include +#include #include #include #include @@ -97,6 +98,13 @@ void BufferedDecompositionGroupPrimitive2D::get2DDecomposition( } } +void BufferedDecompositionGroupPrimitive2D::activateFlushOnTimer() +{ + if (comphelper::IsFuzzing()) + return; + mbFlushOnTimer = true; +} + } // end of namespace drawinglayer::primitive2d /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/drawinglayer/source/primitive2d/BufferedDecompositionPrimitive2D.cxx b/drawinglayer/source/primitive2d/BufferedDecompositionPrimitive2D.cxx index f51f37c85966..491c1fe07665 100644 --- a/drawinglayer/source/primitive2d/BufferedDecompositionPrimitive2D.cxx +++ b/drawinglayer/source/primitive2d/BufferedDecompositionPrimitive2D.cxx @@ -19,6 +19,7 @@ #include +#include #include #include #include @@ -96,6 +97,13 @@ void BufferedDecompositionPrimitive2D::get2DDecomposition( } } +void BufferedDecompositionPrimitive2D::activateFlushOnTimer() +{ + if (comphelper::IsFuzzing()) + return; + mbFlushOnTimer = true; +} + } // end of namespace drawinglayer::primitive2d /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/include/drawinglayer/primitive2d/BufferedDecompositionGroupPrimitive2D.hxx b/include/drawinglayer/primitive2d/BufferedDecompositionGroupPrimitive2D.hxx index 0956dd51ac81..fd50fb20ffd1 100644 --- a/include/drawinglayer/primitive2d/BufferedDecompositionGroupPrimitive2D.hxx +++ b/include/drawinglayer/primitive2d/BufferedDecompositionGroupPrimitive2D.hxx @@ -64,7 +64,7 @@ protected: // callback mechanism to flush buffered content timer-based will be activated. // it is protected since the idea is that this gets called in the constructor // of derived classes. - void activateFlushOnTimer() { mbFlushOnTimer = true; } + void activateFlushOnTimer(); public: /// constructor/destructor. For GroupPrimitive2D we need the child parameter, too. diff --git a/include/drawinglayer/primitive2d/BufferedDecompositionPrimitive2D.hxx b/include/drawinglayer/primitive2d/BufferedDecompositionPrimitive2D.hxx index bc24a51a5fb4..126f5dc2f8cb 100644 --- a/include/drawinglayer/primitive2d/BufferedDecompositionPrimitive2D.hxx +++ b/include/drawinglayer/primitive2d/BufferedDecompositionPrimitive2D.hxx @@ -92,7 +92,7 @@ protected: // callback mechanism to flush buffered content timer-based will be activated. // it is protected since the idea is that this gets called in the constructor // of derived classes. - void activateFlushOnTimer() { mbFlushOnTimer = true; } + void activateFlushOnTimer(); public: // constructor/destructor