sw/qa/core/layout/data/tables-move-backwards.odt |binary sw/source/core/layout/layact.cxx | 23 ++++++++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-)
New commits: commit c73065af2701e6c5bda8e5afc7f40fb5ea760935 Author: Miklos Vajna <[email protected]> AuthorDate: Tue Mar 31 15:10:52 2020 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Wed Jul 29 11:12:25 2020 +0200 sw: fix use-after-free when moving multiple tables to a previous page Regression from commit e4da634b983052f300cd0e9b2bbaa60eb02c1b28 (sw: fix moving more than 20 table frames to a previous page, 2020-03-30), asan found a heap-use-after-free during CppunitTest_sw_ooxmlexport5 CPPUNIT_TEST_NAME=testOldComplexMergeTableInTable, the follow frame is deleted like this: #1 in SwTabFrame::~SwTabFrame() at sw/source/core/layout/tabfrm.cxx:145:1 (instdir/program/libswlo.so +0xec98ba5) #2 in SwFrame::DestroyFrame(SwFrame*) at sw/source/core/layout/ssfrm.cxx:389:9 (instdir/program/libswlo.so +0xec8495f) #3 in SwTabFrame::Join() at sw/source/core/layout/tabfrm.cxx:1390:9 (instdir/program/libswlo.so +0xecb6088) #4 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:1865:9 (instdir/program/libswlo.so +0xecbc1f6) #5 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:370:5 (instdir/program/libswlo.so +0xe519919) #6 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1789:37 (instdir/program/libswlo.so +0xed8424e) #7 in SwLayAction::FormatLayoutTab(SwTabFrame*, bool) at sw/source/core/layout/layact.cxx:1485:15 (instdir/program/libswlo.so +0xe897ea9) Fix the problem by not moving multiple tables to a previous page in one iteration when the table is a follow one. Change-Id: I443240b6153b74d6def97140c516d7cf7a2d35e4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91425 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins (cherry picked from commit 10036bd52e094b5c9b02ff5142829f0825a20571) (cherry picked from commit 1aeee2f1dc009f5b2731cc505d323ef9279d416c) diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx index 27820ca028eb..5c938317c4da 100644 --- a/sw/source/core/layout/layact.cxx +++ b/sw/source/core/layout/layact.cxx @@ -1370,6 +1370,17 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa // page, in which case it looses its next. pNext = pLow->GetNext(); + if (pNext && pNext->IsTabFrame()) + { + auto pTab = static_cast<SwTabFrame*>(pNext); + if (pTab->IsFollow()) + { + // The next frame is a follow of the previous frame, SwTabFrame::Join() will + // delete this one as part of formatting, so forget about it. + pNext = nullptr; + } + } + bTabChanged |= FormatLayoutTab( static_cast<SwTabFrame*>(pLow), bAddRect ); --m_nTabLevel; } commit 01b28395fa06173a7d27221bc9ee469c15f3d675 Author: Miklos Vajna <[email protected]> AuthorDate: Mon Mar 30 17:53:51 2020 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Wed Jul 29 11:12:05 2020 +0200 sw: fix moving more than 20 table frames to a previous page Steps to reproduce the problem: - have some content on page1 - have more than 20 tables on page 2 - delete all content on page 1 The first 20 tables are moved to page 1 then the layout process stops as the layout loop control aborts it: warn:legacy.osl:8282:8282:sw/source/core/layout/layact.cxx:544: LoopControl_1 in SwLayAction::InternalAction and the remaining tables stay on page 2, even if page 1 would have space for them. There are various other ways to trigger the same problem, e.g. have a ToC, add lots of headings, update the ToC, undo. Fix the problem by doing more work in SwLayAction::FormatLayout in a single iteration: if a table frame is moved to a different parent we can still format the table's next frame in the same iteration with a bit of effort. Change-Id: I25912a69c19e042f0e0375898f4e0a5fa13321fc Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91377 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins (cherry picked from commit e4da634b983052f300cd0e9b2bbaa60eb02c1b28) diff --git a/sw/qa/core/layout/data/tables-move-backwards.odt b/sw/qa/core/layout/data/tables-move-backwards.odt new file mode 100644 index 000000000000..861dc4f4ad86 Binary files /dev/null and b/sw/qa/core/layout/data/tables-move-backwards.odt differ diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx index c9bc309adb11..27820ca028eb 100644 --- a/sw/source/core/layout/layact.cxx +++ b/sw/source/core/layout/layact.cxx @@ -1354,6 +1354,7 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa while ( pLow && pLow->GetUpper() == pLay ) { SwFrameDeleteGuard delG(pLow); + SwFrame* pNext = nullptr; if ( pLow->IsLayoutFrame() ) { if ( pLow->IsTabFrame() ) @@ -1364,6 +1365,11 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa } ++m_nTabLevel; + + // Remember what was the next of the lower. Formatting may move it to the previous + // page, in which case it looses its next. + pNext = pLow->GetNext(); + bTabChanged |= FormatLayoutTab( static_cast<SwTabFrame*>(pLow), bAddRect ); --m_nTabLevel; } @@ -1378,7 +1384,11 @@ bool SwLayAction::FormatLayout( OutputDevice *pRenderContext, SwLayoutFrame *pLa if ( IsAgain() ) return false; - pLow = pLow->GetNext(); + if (!pNext) + { + pNext = pLow->GetNext(); + } + pLow = pNext; } // add complete frame area as paint area, if frame // area has been already added and after formatting its lowers the frame area _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
