https://bz.apache.org/ooo/show_bug.cgi?id=120706
dam...@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dam...@apache.org
Ever confirmed|0 |1
Status|UNCONFIRMED |CONFIRMED
Latest|--- |4.2.0-dev
Confirmation on| |
--- Comment #3 from dam...@apache.org ---
Confirming on FreeBSD with those tables.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 80cc06400 (LWP 100446/soffice.bin)]
0x0000000823936572 in dbaccess::ORowSet::impl_restoreDataColumnsWriteable_throw
(this=0x81ef18a00) at RowSet.cxx:1270
1270
(*aIter)->setPropertyValue(PROPERTY_ISREADONLY,makeAny((sal_Bool)*aReadIter ));
Current language: auto; currently c++
(gdb) bt
#0 0x0000000823936572 in
dbaccess::ORowSet::impl_restoreDataColumnsWriteable_throw (this=0x81ef18a00) at
RowSet.cxx:1270
#1 0x0000000823939f95 in dbaccess::ORowSet::impl_setDataColumnsWriteable_throw
(this=0x81ef18a00) at RowSet.cxx:1250
#2 0x0000000823939de5 in dbaccess::ORowSet::moveToInsertRow (this=0x81ef18a00)
at RowSet.cxx:1226
#3 0x000000082393a4ec in non-virtual thunk to
dbaccess::ORowSet::moveToInsertRow() (this=0x81ef18a90) at RowSet.cxx:1246
#4 0x000000082408eb55 in frm::ODatabaseForm::executeRowSet (this=0x81edb7700,
_rClearForNotifies=@0x7fffffff9558, bMoveToFirst=1 '\001',
_rxCompletionHandler=@0x7fffffff95b0) at DatabaseForm.cxx:1303
#5 0x0000000824099b4f in frm::ODatabaseForm::reload_impl (this=0x81edb7700,
bMoveToFirst=1 '\001', _rxCompletionHandler=@0x7fffffff95b0) at
DatabaseForm.cxx:3018
#6 0x000000082409b6e3 in frm::ODatabaseForm::reload (this=0x81edb7700) at
DatabaseForm.cxx:2983
#7 0x000000082409b77c in non-virtual thunk to frm::ODatabaseForm::reload()
(this=0x81edb7940) at DatabaseForm.cxx:2984
#8 0x0000000822e83995 in dbaui::SbaXDataBrowserController::reloadForm
(this=0x81edd3e00, _rxLoadable=@0x7fffffff9c48) at brwctrlr.cxx:727
#9 0x0000000822ecd13d in dbaui::SbaTableQueryBrowser::implLoadAnything
(this=0x81edd3e00, _rDataSourceName=@0x7fffffffa1c0, _rCommand=@0x7fffffffa3e8,
_nCommandType=0, _bEscapeProcessing=1 '\001', _rxConnection=@0x81efad718)
at unodatbr.cxx:2468
#10 0x0000000822ec958d in dbaui::SbaTableQueryBrowser::implSelect
(this=0x81edd3e00, _pEntry=0x8bd90cb68) at unodatbr.cxx:2760
#11 0x0000000822ece558 in dbaui::SbaTableQueryBrowser::OnSelectionChange
(this=0x81edd3e00) at unodatbr.cxx:2562
#12 0x0000000822eac328 in
dbaui::SbaTableQueryBrowser::LinkStubOnSelectionChange (pThis=0x81edd3e00,
pCaller=0x0) at unodatbr.cxx:2560
#13 0x0000000822c11c87 in Link::Call (this=0x81ed9dd40, pCaller=0x0) at
link.hxx:135
#14 0x0000000822fbbc4a in dbaui::DBTreeListBox::OnTimeOut (this=0x81ed9d808) at
dbtreelistbox.cxx:743
#15 0x0000000822fb84c8 in dbaui::DBTreeListBox::LinkStubOnTimeOut
(pThis=0x81ed9d808, pCaller=0x81ed9dcc0) at dbtreelistbox.cxx:739
#16 0x000000080500b0e5 in Timer::ImplTimerCallbackProc () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#17 0x000000080d0264dd in GtkXLib::timeoutFn () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvclplug_gtk.so
#18 0x000000080d026476 in call_timeoutFn () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvclplug_gtk.so
#19 0x000000080e585d04 in g_list_sort_with_data () from
/usr/local/lib/libglib-2.0.so.0
#20 0x000000080e589592 in g_main_context_dispatch () from
/usr/local/lib/libglib-2.0.so.0
#21 0x000000080e5898e7 in g_main_context_pending () from
/usr/local/lib/libglib-2.0.so.0
#22 0x000000080e589974 in g_main_context_iteration () from
/usr/local/lib/libglib-2.0.so.0
#23 0x000000080d0267e3 in GtkXLib::Yield () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvclplug_gtk.so
#24 0x0000000805007348 in ImplYield () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#25 0x0000000805004a20 in Application::Execute () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#26 0x0000000800c84c76 in desktop::Desktop::Main (this=0x7fffffffb238) at
app.cxx:2232
#27 0x0000000805009da6 in ImplSVMain () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#28 0x000000080500ac4e in SVMain () from
AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#29 0x0000000800cce2c8 in soffice_main () at sofficemain.cxx:45
#30 0x00000000004011d9 in sal_main () at main.c:31
#31 0x00000000004011b7 in main (argc=1, argv=0x7fffffffb330) at main.c:30
RowSet.cxx:1270 is the line inside the for loop:
TDataColumns::iterator aIter = m_aDataColumns.begin();
::std::bit_vector::iterator aReadIter = m_aReadOnlyDataColumns.begin();
for(;aReadIter != m_aReadOnlyDataColumns.end();++aIter,++aReadIter)
{
(*aIter)->setPropertyValue(PROPERTY_ISREADONLY,makeAny((sal_Bool)*aReadIter ));
}
Since the for loops checks aReadIter but not aIter, when aIter is smaller,
aIter loops beyond m_DataColumns.end(), so the (*aIter) accesses invalid
memory.
m_aReadOnlyDataColumns is resized in
ORowSet::impl_setDataColumnsWriteable_throw() to match m_aDataColumns, but
ORowSet::impl_restoreDataColumnsWriteable_throw() can also be called directly,
without going through that method first. Clearly, they need to be kept in sync.
Since m_aDataColumns is cleared in ORowSet::freeResources(),
m_aReadOnlyDataColumns need to be cleared there too.
ORowSet::execute_NoApprove_NoNewConn() grows m_aDataColumns, but
ORowSet::freeResources() is always called before it, and m_aDataColumns.size()
> m_aReadOnlyDataColumns.size() won't crash, so patching
ORowSet::freeResources() is sufficient.
--
You are receiving this mail because:
You are on the CC list for the issue.
You are the assignee for the issue.
