When loading the word document in Bug number 2652,
I get a segfault due to a double free.
The destructor of FG_GraphicRaster called from
IE_ImpGraphic_PNG::importGraphic (line 73) (error case)
and later the DELETEP(pictData)
in ie_imp_MsWord97.cpp
line 2477 (IE_Imp_MsWord_97::_handleImage) free the same pointer.
My patch solves this problem by seting m_bOwnPNG = false and therefore
the destructor of FG_GraphicRaster will not delete the buffer.
Note there is now a memory leak in the non error case,
the two DELETEP at the end of IE_Imp_MsWord_97::_handleImage
should propably made "alive" again, after careful inspection
of all code paths.
Cleanup:
//DELETEP(pictData);
//DELETEP(pFG);
Robert
? diff
Index: fg_GraphicRaster.cpp
===================================================================
RCS file: /cvsroot/abi/src/text/fmt/xp/fg_GraphicRaster.cpp,v
retrieving revision 1.24
diff -u -r1.24 fg_GraphicRaster.cpp
--- fg_GraphicRaster.cpp 25 Feb 2002 21:14:49 -0000 1.24
+++ fg_GraphicRaster.cpp 4 Mar 2002 18:19:00 -0000
@@ -251,7 +250,7 @@
DELETEP(m_pbbPNG);
m_pbbPNG = pBB;
- m_bOwnPNG = true;
+ m_bOwnPNG = false;
// We want to calculate the dimensions of the image here.
return UT_PNG_getDimensions(pBB, m_iWidth, m_iHeight);
