This is an automated email from the ASF dual-hosted git repository. leginee pushed a commit to branch fix-letent-use-after-free-bug in repository https://gitbox.apache.org/repos/asf/openoffice.git
commit a9892e3792df3f38cfa19fe738c9fdf6f627172f Author: Peter Kovacs <[email protected]> AuthorDate: Mon Jun 15 23:25:32 2026 +0200 small codefix for Calc crash-on-open AV — latent UAF, debug-CRT-deterministic --- main/sc/source/ui/view/viewdata.cxx | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/main/sc/source/ui/view/viewdata.cxx b/main/sc/source/ui/view/viewdata.cxx index 26b4b3ec50..7b8dfb5cf1 100644 --- a/main/sc/source/ui/view/viewdata.cxx +++ b/main/sc/source/ui/view/viewdata.cxx @@ -2952,6 +2952,15 @@ void ScViewData::ReadUserDataSequence(const uno::Sequence <beans::PropertyValue> pTabData[nZoomTab]->aPageZoomY = aDefPageZoomY; } + // The loop above delete'd and re-new'd pTabData[] entries (including the + // active one) but left pThisTab pointing at a freed ScViewDataTable. Restore + // the pThisTab == pTabData[nTabNo] invariant before anyone dereferences it + // (e.g. ScTabView::SetTabNo -> GetActivePart()). Mirrors SetTabNo (line + // ~1502). Without it, a debug build AVs on document open (reads 0xDDDDDDDD); + // release masks it only via allocator MRU reuse. See bug-readme.md §14. + CreateTabData( nTabNo ); + pThisTab = pTabData[nTabNo]; + if (nCount) SetPagebreakMode( bPageMode );
