cppuhelper/source/weak.cxx | 3 +++ 1 file changed, 3 insertions(+) New commits: commit 131e604073f89e6c1dd54be88b94b7befd881f2e Author: Michael Stahl <mst...@redhat.com> Date: Fri Jun 17 21:58:09 2016 +0200
cppuhelper: fix use-after-free race in OWeakConnectionPoint OWeakObject::m_pWeakConnectionPoint is returned from OWeakObject::queryAdapter(), and stored in OWeakRefListener::m_xWeakConnectionPoint. This is cleared in OWeakRefListener::dispose(), called from OWeakConnectionPoint::dispose(), called from OWeakObject::disposeWeakConnectionPoint(), but it can happen that another thread is in WeakReferenceHelper::get() and has copied m_xWeakConnectionPoint onto the stack before the OWeakObject is released and deleted, then calls OWeakConnectionPoint::queryAdapted() after it is released, accessing the dead m_pObject. Change-Id: I7782e6fb7e07f5a48cf7064115217376714ba8e8 diff --git a/cppuhelper/source/weak.cxx b/cppuhelper/source/weak.cxx index ed1f772..85cf3f6 100644 --- a/cppuhelper/source/weak.cxx +++ b/cppuhelper/source/weak.cxx @@ -111,6 +111,9 @@ void SAL_CALL OWeakConnectionPoint::dispose() throw(css::uno::RuntimeException) std::vector<Reference<XReference>> aCopy; { // only hold the mutex while we access the field MutexGuard aGuard(getWeakMutex()); + // OWeakObject is not the only owner of this, so clear m_pObject + // so that queryAdapted() won't use it now that it's dead + m_pObject = nullptr; // other code is going to call removeReference while we are doing this, so we need a // copy, but since we are disposing and going away, we can just take the original data aCopy.swap(m_aReferences); _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits