Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index 


 Hello,

 please review and backport to 3-5 and 3-5-5 the attached patch.

 It is a stripped down version of a revert 
(http://cgit.freedesktop.org/libreoffice/core/commit/?id=831c2d9528) and 
rewrite (http://cgit.freedesktop.org/libreoffice/core/commit/?id=886e29cff7) 
in master, but I don't feel confident enough about the rewrite for a backport 
at this point, so the patch is just a band-aid. The current 3-5 code has a 
use-after-delete problem caused by the fact that it's not possible to take 
out a pointer out of a shared_ptr based container.

-- 
 Lubos Lunak
 l.lunak@suse.cz

From 00ac1a517542af6417f0483e8cdfcd0d14469dd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= <l.lunak@suse.cz>
Date: Tue, 19 Jun 2012 15:08:21 +0200
Subject: [PATCH] avoid a crash because of shared_ptr ownership

Change-Id: Ib12a80d9806d995d161d4ee71fa2b7e69eb944ea
---
 oox/inc/oox/vml/vmlshapecontainer.hxx    |    2 +-
 oox/source/shape/ShapeContextHandler.cxx |    2 +-
 oox/source/vml/vmlshapecontainer.cxx     |    6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/oox/inc/oox/vml/vmlshapecontainer.hxx b/oox/inc/oox/vml/vmlshapecontainer.hxx
index 9b11c6c..49c3980 100644
--- a/oox/inc/oox/vml/vmlshapecontainer.hxx
+++ b/oox/inc/oox/vml/vmlshapecontainer.hxx
@@ -93,7 +93,7 @@ public:
     const ShapeBase*    findShape( const Functor& rFunctor ) const;
 
     /** Returns and removes the last shape in the collection (Word only). */
-    const ShapeBase*    takeLastShape();
+    boost::shared_ptr< ShapeBase > takeLastShape();
 
     /** Creates and inserts all UNO shapes into the passed container. */
     void                convertAndInsert(
diff --git a/oox/source/shape/ShapeContextHandler.cxx b/oox/source/shape/ShapeContextHandler.cxx
index 3234238..04edd85 100644
--- a/oox/source/shape/ShapeContextHandler.cxx
+++ b/oox/source/shape/ShapeContextHandler.cxx
@@ -244,7 +244,7 @@ ShapeContextHandler::getShape() throw (uno::RuntimeException)
         if ( getContextHandler() == getDrawingShapeContext() )
         {
             mpDrawing->finalizeFragmentImport();
-            if( const ::oox::vml::ShapeBase* pShape = mpDrawing->getShapes().takeLastShape() )
+            if( boost::shared_ptr< ::oox::vml::ShapeBase > pShape = 
mpDrawing->getShapes().takeLastShape() )
                 xResult = pShape->convertAndInsert( xShapes );
         }
         else if (mpShape.get() != NULL)
diff --git a/oox/source/vml/vmlshapecontainer.cxx b/oox/source/vml/vmlshapecontainer.cxx
index 9502e4c..1d16a97 100644
--- a/oox/source/vml/vmlshapecontainer.cxx
+++ b/oox/source/vml/vmlshapecontainer.cxx
@@ -118,12 +118,12 @@ const ShapeBase* ShapeContainer::getShapeById( const OUString& rShapeId, bool 
bD
    return 0;
 }
 
-const ShapeBase* ShapeContainer::takeLastShape()
+boost::shared_ptr< ShapeBase > ShapeContainer::takeLastShape()
 {
     assert( mrDrawing.getType() == VMLDRAWING_WORD );
     if( maShapes.empty())
-        return NULL;
-    const ShapeBase* ret = maShapes.back().get();
+        return boost::shared_ptr< ShapeBase >();
+    boost::shared_ptr< ShapeBase > ret = maShapes.back();
     maShapes.pop_back();
     return ret;
 }
-- 
1.7.7

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.