Apache OpenOffice (AOO) Bugzilla – Issue 121917
Crash when editing a drawing object anchored to header paragraph
Last modified: 2017-05-20 11:42:13 UTC
Created attachment 80434 [details] document with text box anchored to header Open the attached document. Goto page 2 Right-click on the text box A. Choose "Position & Size" from its context menu. Crash. The text box is anchored to the paragraph in the header. Therefore the drawing object on the second page is not the original one, but a clone, which is generated for header repeating. If it is not intended, that the drawing object can be edit from such position, then the drawing object should not be selectable there. If the object should be editable at that position--like other header content--then it should not crash.
It crashes in 3.4.1, but also 3.2.1-OOO320_m18-9502 and 3.4.0-BETA-OOO340_m0-9583
crash confirmed in oo32
Crash takes place in SwDrawVirtObj::GetPlusHdl() because a NULL pointer is dereferenced.
ALG: Taking a look...
ALG: UhOh. GetPlusHdl should not even be called, it's only called due to casting a SdrObject to SdrTextObj which is in this case a SwDrawVirtObj. At that object HasText is called, but lands on GetPlusHdl (jumping over the wrong virtual table). Two steps: - Change the cast to dynamic_cast and adapt code - Take the chance and make methods at SwDrawVirtObj more safe.
ALG: Made a short check with Symphony, from the code it should also crash there. It does.
ALG: Checked that my changes do the fix, preparing checkin.
ALG: Okay, done.
ALG: Setting to fixed
grant showstopper flag to get clear status, already fixed
I still reproduce the crash with revision 1499347
Still crashes in non-pro build of r1501409. The crash is triggered be calling the dialog, not by setting width or height in the sidebar.
ALG: Checked on mac at r1499347, all is well. Indeed crashes on Win7 also on r1499347. Does not crash on current trunk build. Maybe snapshot build was not up-to-date? Controlling checkin, also no automatic note added to this task...
My build is from a fresh clone (~18h ago) of trunk, and it crashes.
ALG: Okay, thanks, Regina. Found commit r1494127, also changes are in trunk, verified. Getting the buildbot win build r1501409, checking...
ALG: Also crashes with buildbot build r1501409, need to make a clean, fresh windows build to check (current trunk does not crash)...
ALG: Re-checked: Mac and Linux are okay.
ALG: Found another place in cui where a SdrObject is casted the old way to a SdrTextObj because the SdrObjKind is a text type; this is not safe as long as we have SdrVirtObjs in Writer. In this case, the wrong cast leads to a wrong function call (SwDrawVirtObj::GetPlusHdl instead of HasText). Other system compilers somehow survive that, as the win compiler does in non-pro build. Anyways, it's an error. Checking with a pro-build if this is the error.
ALG: Adapted three places with bad/dangerous casts in cui, needed a pro build to test if this helps. Works as expected, indeed this causes the trouble. Did some more deep tests with debugger and manipulating that 2nd objects, looks good. Preparing commit...
"alg" committed SVN revision 1502162 into trunk: i121917 secure SdrTextObj casts in cui
"alg" committed SVN revision 1502164 into branches/AOO400: i121917 secure SdrTextObj casts in cui
ALG: Comitted in trunk and branch AOO400, cui needs rebuild but is compatible.
ALG: Added #122720# to clean this up on trunk in general
I do not see the crash in RC, Rev. 1502185 on Win 7