sw/source/core/layout/layact.cxx | 2 ++ 1 file changed, 2 insertions(+)
New commits: commit 8b6485703af3af575fb0cd5fa38267c86545185e Author: Michael Stahl <[email protected]> AuthorDate: Fri Sep 15 16:57:58 2023 +0200 Commit: Xisco Fauli <[email protected]> CommitDate: Mon Sep 18 08:58:33 2023 +0200 tdf#157096 sw: layout: fix UAF crash from stale mpFlyDestory entry It doesn't make sense that mpFlyDestory entries survive exit from SwLayAction. Call DeleteEmptyFlys() whenever DeleteEmptySct() is called. (reportedly crashes since commit c303981cfd95ce1c3881366023d5495ae2edce97 although i'd rather blame commit f6fbd9d5ff5b049112e6ca7a8943c156b3e4f411) Change-Id: Ie03e91a7d089c8aae8a1db65df835841f985771f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156949 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 5a33420923c76d3e282f6d4ce0f3a63616ca3cff) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156953 Reviewed-by: Xisco Fauli <[email protected]> diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx index 49d7573dd547..c157476cd3b1 100644 --- a/sw/source/core/layout/layact.cxx +++ b/sw/source/core/layout/layact.cxx @@ -371,6 +371,7 @@ void SwLayAction::Action(OutputDevice* pRenderContext) m_pRoot->ResetTurboFlag(); m_bActionInProgress = false; m_pRoot->DeleteEmptySct(); + m_pRoot->DeleteEmptyFlys(); return; } else if ( m_pRoot->GetTurbo() ) @@ -397,6 +398,7 @@ void SwLayAction::Action(OutputDevice* pRenderContext) SetAgain(true); } m_pRoot->DeleteEmptySct(); + m_pRoot->DeleteEmptyFlys(); m_pWait.reset();
