[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - sw/source

Thu, 06 Jul 2017 04:30:54 -0700 

 sw/source/core/access/accmap.cxx |    5 +++++
 1 file changed, 5 insertions(+)

New commits:
commit f1732a9b718e59365fa6160a7a224d7e5cc3ffb8
Author: Michael Stahl <mst...@redhat.com>
Date:   Tue Jul 4 22:46:15 2017 +0200

    sw: fix use-after-free in SwAccessibleMap::FireEvents()
    
    As seen when running JunitTest_sw_unoapi_3 against "make debugrun",
    the damn thing can call itself recursively via an odd corner case in
    GetContext():
    
    0  in SwAccessibleEventList_Impl::~SwAccessibleEventList_Impl() 
(this=0x9a6a170, __in_chrg=<optimized out>) at 
sw/source/core/access/accmap.cxx:498
    1  in SwAccessibleMap::FireEvents() (this=0x8198bb0) at 
sw/source/core/access/accmap.cxx:3023
    2  in 
SwAccessibleMap::InvalidateCursorPosition(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible>
 const&) (this=0x8198bb0, rAcc=uno::Reference to (SwAccessibleParagraph *) 
0x9a439d8) at sw/source/core/access/accmap.cxx:1069
    3  in SwAccessibleMap::GetContext(SwFrame const*, bool) (this=0x8198bb0, 
pFrame=0x825ca10, bCreate=true) at sw/source/core/access/accmap.cxx:1925
    4  in SwAccessibleMap::GetContextImpl(SwFrame const*, bool) 
(this=0x8198bb0, pFrame=0x825ca10, bCreate=true) at 
sw/source/core/access/accmap.cxx:1936
    5  in 
SwAccessibleContext::InvalidateChildPosOrSize(sw::access::SwAccessibleChild 
const&, SwRect const&) (this=0x405a350, rChildFrameOrObj=..., rOldFrame=SwRect 
= {...}) at sw/source/core/access/acccontext.cxx:1196
    6  in SwAccessibleMap::FireEvent(SwAccessibleEvent_Impl const&) 
(this=0x8198bb0, rEvent=...) at sw/source/core/access/accmap.cxx:898
    7  in SwAccessibleMap::FireEvents() (this=0x8198bb0) at 
sw/source/core/access/accmap.cxx:3018
    8  in SwViewShellImp::FireAccessibleEvents() (this=0x7744dc0) at 
sw/source/core/view/viewimp.cxx:460
    9  in SwLayIdle::SwLayIdle(SwRootFrame*, SwViewShellImp*) 
(this=0x7ffc63395e30, pRt=0x7745120, pI=0x7744dc0) at 
sw/source/core/layout/layact.cxx:2267
    
    Presumably all of mpEvents, mpEventMap and mpShapes must live until
    the outermost FireEvents() completes.
    
    Change-Id: I4e5a053035bf7fc12d9407913437d721889950ae
    (cherry picked from commit ddf8d9a150e3e1725de65577c48d47918b4b11a8)
    Reviewed-on: https://gerrit.libreoffice.org/39566
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/sw/source/core/access/accmap.cxx b/sw/source/core/access/accmap.cxx
index 895a4bfd9c7e..711e34adccce 100644
--- a/sw/source/core/access/accmap.cxx
+++ b/sw/source/core/access/accmap.cxx
@@ -3047,6 +3047,11 @@ void SwAccessibleMap::FireEvents()
         osl::MutexGuard aGuard( maEventMutex );
         if( mpEvents )
         {
+            if (mpEvents->IsFiring())
+            {
+                return; // prevent recursive FireEvents()
+            }
+
             mpEvents->SetFiring();
             mpEvents->MoveMissingXAccToEnd();
             for( auto const& aEvent : *mpEvents )

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to