source

Caolán McNamara (via logerrit) Wed, 17 Nov 2021 01:17:58 -0800

 sw/source/core/text/itrform2.cxx |    4 ++++
 1 file changed, 4 insertions(+)


New commits:
commit fb30c52ced11505fa4a0201a9dc127316133151d
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Jul 12 16:21:04 2021 +0100
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Wed Nov 17 10:17:15 2021 +0100

    crashtesting: UaF on layout of ooo98566-1.odt
    
    in:
    sw/source/core/text/itrform2.cxx:2643 SwTextFormatter::NewFlyCntPortion
    at: pFly = static_cast<SwTextFlyCnt*>(pHint)->GetFlyFrame(pFrame)
    
    (gdb) print m_pCurr
    $2 = (SwLineLayout *) 0x55ea220a0020
    
    after calling GetFlyFrame m_pCurr is unchanged and we will call
    m_pCurr->MaxAscentDescent
    on it.
    
    But m_pCurr is deleted during GetFlyFrame by...
    
     #18 0x00007f98c5cd337f in SwLineLayout::~SwLineLayout() 
(this=this@entry=0x55ea220a0020, __in_chrg=<optimized out>)
         at source/libo-core/sw/source/core/text/portxt.hxx:26
     #19 0x00007f98c5cd347a in SwParaPortion::~SwParaPortion() 
(this=0x55ea220a0020, __in_chrg=<optimized out>)
         at source/libo-core/sw/source/core/text/porlay.cxx:2491
     #20 0x00007f98c5cd3485 in SwParaPortion::~SwParaPortion() 
(this=0x55ea220a0020, __in_chrg=<optimized out>)
         at source/libo-core/sw/source/core/text/porlay.cxx:2491
     #21 0x00007f98c5d05e70 in 
std::default_delete<SwParaPortion>::operator()(SwParaPortion*) const 
(__ptr=<optimized out>, this=<optimized out>)
         at /usr/include/c++/8/bits/unique_ptr.h:75
     #22 0x00007f98c5d05e70 in std::unique_ptr<SwParaPortion, 
std::default_delete<SwParaPortion> >::reset(SwParaPortion*)
         (__p=<optimized out>, this=<optimized out>) at 
/usr/include/c++/8/bits/unique_ptr.h:382
     #23 0x00007f98c5d05e70 in SwTextLine::SetPara(SwParaPortion*, bool) 
(bDelete=true, pNew=0x0, this=<optimized out>)
         at source/libo-core/sw/source/core/text/txtcache.hxx:45
     #24 0x00007f98c5d05e70 in SwTextFrame::ClearPara() 
(this=this@entry=0x55ea21302b60) at 
source/libo-core/sw/source/core/text/txtcache.cxx:113
     #25 0x00007f98c5d1be89 in SwTextFrame::Init() 
(this=this@entry=0x55ea21302b60) at 
source/libo-core/sw/source/core/text/txtfrm.cxx:757
     #26 0x00007f98c5d2630c in SwTextFrame::Prepare(PrepareHint, void const*, 
bool)
         (this=0x55ea21302b60, ePrep=PrepareHint::FlyFrameArrive, 
pVoid=<optimized out>, bNotify=<optimized out>)
         at source/libo-core/sw/source/core/text/txtfrm.cxx:3086
     #27 0x00007f98c5b1edb8 in 
SwFlyInContentFrame::NotifyBackground(SwPageFrame*, SwRect const&, PrepareHint)
         (this=<optimized out>, rRect=..., eHint=<optimized out>) at 
source/libo-core/sw/inc/anchoredobject.hxx:205
     #28 0x00007f98c5b261a6 in Notify(SwFlyFrame*, SwPageFrame*, SwRect const&, 
SwRect const*)
         (pFly=pFly@entry=0x55ea21a18d60, pOld=0x0, rOld=SwRect = {...}, 
pOldPrt=pOldPrt@entry=0x7ffeb50390f8)
         at source/libo-core/sw/source/core/inc/frame.hxx:1177
     #29 0x00007f98c5b2ceca in SwFlyNotify::~SwFlyNotify() 
(this=0x7ffeb50390d0, __in_chrg=<optimized out>)
         at source/libo-core/sw/source/core/layout/frmtool.cxx:648
     #30 0x00007f98c5b1fa25 in SwFlyInContentFrame::MakeAll(OutputDevice*) 
(this=0x55ea21a18d60)
         at source/libo-core/sw/source/core/inc/frmtool.hxx:419
     #31 0x00007f98c5aec3a9 in SwFrame::PrepareMake(OutputDevice*) 
(this=0x55ea21a18d60, pRenderContext=0x55ea212bc4c0)
         at source/libo-core/sw/source/core/layout/calcmove.cxx:375
     #32 0x00007f98c5b17ad2 in SwFlyFrame::Calc(OutputDevice*) const 
(this=<optimized out>, pRenderContext=<optimized out>)
         at source/libo-core/sw/source/core/layout/fly.cxx:2890
     #33 0x00007f98c5b636c5 in SwObjectFormatter::FormatLayout_(SwLayoutFrame&) 
(this=this@entry=0x55ea2244d150, _rLayoutFrame=...)
         at source/libo-core/include/rtl/ref.hxx:206
     #34 0x00007f98c5b6413e in SwObjectFormatter::FormatObj_(SwAnchoredObject&) 
(this=this@entry=0x55ea2244d150, _rAnchoredObj=...)
         at source/libo-core/sw/source/core/layout/objectformatter.cxx:296
     #35 0x00007f98c5b6705b in 
SwObjectFormatterTextFrame::DoFormatObj(SwAnchoredObject&, bool)
         (this=0x55ea2244d150, _rAnchoredObj=..., _bCheckForMovedFwd=<optimized 
out>)
         at source/libo-core/sw/source/core/layout/objectformattertxtfrm.cxx:136
     #36 0x00007f98c5b6359f in SwObjectFormatter::FormatObj(SwAnchoredObject&, 
SwFrame*, SwPageFrame const*)
         (_rAnchoredObj=..., _pAnchorFrame=<optimized out>, 
_pPageFrame=<optimized out>)
         at source/libo-core/sw/source/core/layout/objectformatter.cxx:190
     #37 0x00007f98c5d717aa in SwTextFlyCnt::GetFlyFrame_(SwFrame const*) 
(this=this@entry=0x55ea214d8810, pCurrFrame=pCurrFrame@entry=0x55ea21302b60)
         at source/libo-core/sw/source/core/inc/frame.hxx:1177
     #38 0x00007f98c5cb511b in SwTextFlyCnt::GetFlyFrame(SwFrame const*) 
(pCurrFrame=0x55ea21302b60, this=0x55ea214d8810)
         at source/libo-core/sw/inc/txtflcnt.hxx:48
     #39 0x00007f98c5cb511b in 
SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const
         (this=this@entry=0x7ffeb503a6b0, rInf=..., pHint=0x55ea214d8810) at 
source/libo-core/sw/source/core/text/itrform2.cxx:2643
    
    (gdb) print this
    (SwLinePortion * const) 0x55ea220a0020
    
    The SwTextFrame of SwTextFrame::ClearPara is the same pFrame/m_pFrame at 
SwTextFormatter::NewFlyCntPortion
    
    ClearPara is not called if the SwTextFrame is "Locked", so try using that 
to protect GetFlyFrame
    
    Change-Id: Ia9dcb1f345f6953d995f2acf1ec23492d1680364
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118784
    Tested-by: Jenkins
    Tested-by: Caolán McNamara <caol...@redhat.com>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit 7e016df70d4ceb6c90ec5f1b129b50a65ff07505)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/125290
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>

diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx
index 5bc418ec7580..3e006bb456ca 100755
--- a/sw/source/core/text/itrform2.cxx
+++ b/sw/source/core/text/itrform2.cxx
@@ -2469,7 +2469,11 @@ SwFlyCntPortion *SwTextFormatter::NewFlyCntPortion( 
SwTextFormatInfo &rInf,
     SwFlyInContentFrame *pFly;
     SwFrameFormat* pFrameFormat = 
static_cast<SwTextFlyCnt*>(pHint)->GetFlyCnt().GetFrameFormat();
     if( RES_FLYFRMFMT == pFrameFormat->Which() )
+    {
+        // set Lock pFrame to avoid m_pCurr getting deleted
+        TextFrameLockGuard aGuard(m_pFrame);
         pFly = static_cast<SwTextFlyCnt*>(pHint)->GetFlyFrame(pFrame);
+    }
     else
         pFly = nullptr;
     // aBase is the document-global position, from which the new extra portion 
is placed

[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-6-1+backports' - sw/source

Reply via email to