Issue 105124 - [sw] use-after-free in SwDoc::CreateLinkSource
Summary: [sw] use-after-free in SwDoc::CreateLinkSource
Status: CLOSED FIXED
Alias: None
Product: Writer
Classification: Application
Component: code (show other issues)
Version: DEV300m58
Hardware: All All
: P2 Trivial (vote)
Target Milestone: ---
Assignee: mst.ooo
QA Contact: issues@sw
URL:
Keywords:
Depends on:
Blocks: 99999
  Show dependency tree
 
Reported: 2009-09-16 14:32 UTC by mst.ooo
Modified: 2017-05-20 11:42 UTC (History)
3 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description mst.ooo 2009-09-16 14:32:46 UTC 
unoapi test sw.SwXTextSection fails; it may crash, and valgrind complains about
memory corruption (use-after-free):

==30234== Thread 8:
==30234== Invalid read of size 4
==30234==    at 0x17EB8F26: String::Len() const (string.hxx:568)
==30234==    by 0x17F32BE1: CharClass::lower(String const&) const
(charclass.hxx:231)
==30234==    by 0x182170C3: lcl_FindSection(SwSectionFmt* const&, void*,
bool) (docdde.cxx:100)
==30234==    by 0x182171DB: lcl_FindSectionCaseInsensitive(SwSectionFmt*
const&, void*) (docdde.cxx:124)
==30234==    by 0x794B82F: SvPtrarr::_ForEach(unsigned short, unsigned
short, unsigned char (*)(void* const&, void*), void*) (in
/net/x42-so29/export/home/ms216673/inst/SO_m58_DEV300_li/opt/openoffice.org/basis3.2/program/libsvlli.so)
==30234==    by 0x1821874E: SwSectionFmts::ForEach(unsigned short,
unsigned short, unsigned char (*)(SwSectionFmt* const&, void*), void*)
(docary.hxx:85)
==30234==    by 0x18217EB9: SwDoc::CreateLinkSource(String const&)
(docdde.cxx:254)
==30234==    by 0x182F48D3: SwIntrnlSectRefLink::DataChanged(String
const&, com::sun::star::uno::Any const&) (section.cxx:1399)
==30234==    by 0x74ACD2A: sfx2::SvBaseLink::Update() (in
/net/x42-so29/export/home/ms216673/inst/SO_m58_DEV300_li/opt/openoffice.org/basis3.2/program/libsfxli.so)
==30234==    by 0x182F34FA: SwSection::CreateLink(LinkCreateType)
(section.cxx:1647)
==30234==    by 0x182C1828: SwDoc::ChgSection(unsigned short, SwSection
const&, SfxItemSet const*, unsigned char) (ndsect.cxx:721)
==30234==    by 0x18348B87:
SwXTextSection::SetPropertyValues_Impl(com::sun::star::uno::Sequence<rtl::OUString>
const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&)
(unosect.cxx:867)
==30234==  Address 0x17766ab4 is 4 bytes inside a block of size 18 free'd
==30234==    at 0x4CA0DFA: free (vg_replace_malloc.c:323)
==30234==    by 0x6D8D1B3: rtl_freeMemory (alloc_global.c:315)
==30234==    by 0x6D75508: rtl_uString_release (strtmpl.c:1022)
==30234==    by 0x7F322AF: String::~String() (in
/net/x42-so29/export/home/ms216673/inst/SO_m58_DEV300_li/opt/openoffice.org/basis3.2/program/libtlli.so)
==30234==    by 0x18217E5E: SwDoc::CreateLinkSource(String const&)
(docdde.cxx:252)
==30234==    by 0x182F48D3: SwIntrnlSectRefLink::DataChanged(String
const&, com::sun::star::uno::Any const&) (section.cxx:1399)
==30234==    by 0x74ACD2A: sfx2::SvBaseLink::Update() (in
/net/x42-so29/export/home/ms216673/inst/SO_m58_DEV300_li/opt/openoffice.org/basis3.2/program/libsfxli.so)
==30234==    by 0x182F34FA: SwSection::CreateLink(LinkCreateType)
(section.cxx:1647)
==30234==    by 0x182C1828: SwDoc::ChgSection(unsigned short, SwSection
const&, SfxItemSet const*, unsigned char) (ndsect.cxx:721)
==30234==    by 0x18348B87:
SwXTextSection::SetPropertyValues_Impl(com::sun::star::uno::Sequence<rtl::OUString>
const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&)
(unosect.cxx:867)
==30234==    by 0x18348DE5: SwXTextSection::setPropertyValue(rtl::OUString
const&, com::sun::star::uno::Any const&) (unosect.cxx:931)
==30234==    by 0xC74DD98: (within
/net/x42-so29/export/home/ms216673/inst/SO_m58_DEV300_li/opt/openoffice.org/ure/lib/libgcc3_uno.so)
Comment 1 mst.ooo 2009-09-16 18:41:52 UTC 
fixed in CWS sw32bf04
Comment 2 mst.ooo 2009-09-21 16:33:54 UTC 
.