filter/source/pdf/pdfdialog.cxx | 1 +
1 file changed, 1 insertion(+)
New commits:
commit e4c611ddc731d6a2ca9c3de61a02d1d4b6eefa9b
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri Jun 9 12:51:22 2023 +0100
Commit: Caolán McNamara <[email protected]>
CommitDate: Fri Jun 9 20:26:48 2023 +0200
pdf export dialog can crash if async mode used
dialogClosed can cause the owner of PDFDialog to drop it during the
callback
==4057599==ERROR: AddressSanitizer: heap-use-after-free on address
0x6130003cc890 at pc 0x7fecd4abe0f4 bp 0x7ffce7ef2d80 sp 0x7ffce7ef2d78
READ of size 8 at 0x6130003cc890 thread T0
#0 0x7fecd4abe0f3 in std::__shared_ptr<SfxTabDialogController,
(__gnu_cxx::_Lock_policy)2>::operator bool() const
/usr/bin/../lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/shared_ptr_base.h:1670:16
#1 0x7fecd4abe0f3 in
svt::OGenericUnoAsyncDialog<SfxTabDialogController>::destroyAsyncDialog()
core/include/svtools/genericasyncunodialog.hxx:107:13
#2 0x7fecd4abd362 in
PDFDialog::runAsync(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener>
const&)::$_0::operator()(int) const core/filter/source/pdf/pdfdialog.cxx:95:9
0x6130003cc890 is located 272 bytes inside of 336-byte region
[0x6130003cc780,0x6130003cc8d0)
freed by thread T0 here:
#0 0x4b7cfa in __interceptor_free
(core/instdir/program/soffice.bin+0x4b7cfa) (BuildId:
e1b47bbe1dcc1e4ed692b09b49fe3da8d206f4b1)
#1 0x7fed09f540b2 in
com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XAsynchronousExecutableDialog>::~Reference()
core/include/com/sun/star/uno/Reference.hxx:114:22
#2 0x7fed09f540b2 in ModelData_Impl::~ModelData_Impl()
core/sfx2/source/doc/guisaveas.cxx:359:1
previously allocated by thread T0 here:
#0 0x4b7fa2 in malloc (core/instdir/program/soffice.bin+0x4b7fa2)
(BuildId: e1b47bbe1dcc1e4ed692b09b49fe3da8d206f4b1)
#1 0x7fecd4ab87cf in cppu::OWeakObject::operator new(unsigned long)
core/include/cppuhelper/weak.hxx:89:18
#2 0x7fecd4ab87cf in filter_PDFDialog_get_implementation
core/filter/source/pdf/pdfdialog.cxx:170:26
...
#9 0x7fed09f811a4 in
SfxStoringHelper::GUIStoreModel(com::sun::star::uno::Reference<com::sun::star::frame::XModel>
const&, std::basic_string_view<char16_t, std::char_traits<char16_t>>,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, bool,
SignatureState, bool) core/sfx2/source/doc/guisaveas.cxx:1561:29
Change-Id: I7ea28b9b4bb7c826f1c3c8ced7ea8217573f733b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152793
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
diff --git a/filter/source/pdf/pdfdialog.cxx b/filter/source/pdf/pdfdialog.cxx
index c036fc747b2a..c7dd241c2049 100644
--- a/filter/source/pdf/pdfdialog.cxx
+++ b/filter/source/pdf/pdfdialog.cxx
@@ -79,6 +79,7 @@ void PDFDialog::executedDialog( sal_Int16 nExecutionResult )
void PDFDialog::runAsync(const css::uno::Reference<
css::ui::dialogs::XDialogClosedListener >& xListener)
{
SfxTabDialogController::runAsync(m_xAsyncDialog, [this,
xListener](sal_Int32 nResponse) {
+ rtl::Reference<PDFDialog> xThis(this); // keep alive for scope,
dialogClosed can cause owner to drop this
executedAsyncDialog( m_xAsyncDialog, nResponse );
css::ui::dialogs::DialogClosedEvent aEvent;
aEvent.DialogResult = nResponse;
