framework/qa/cppunit/data/empty.fodp | 2 ++ framework/qa/cppunit/dispatchtest.cxx | 32 ++++++++++++++++++++++++++++++++ sfx2/inc/unoctitm.hxx | 7 ++++++- sfx2/source/control/unoctitm.cxx | 21 +++++++++++++++++++++ 4 files changed, 61 insertions(+), 1 deletion(-)
New commits: commit d0f203e70bce041ea71943af6a909b13ca3ec0e4 Author: Michael Stahl <[email protected]> AuthorDate: Wed Jun 30 13:26:59 2021 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Thu Jul 1 12:19:41 2021 +0200 sfx2: try to fix lifecycle of SfxOfficeDispatch This can be created either from the global SfxApplication, or from a SfxViewFrame. Particularly in the latter case, the SfxDispatcher and SfxBindings members are owned by SfxViewFrame, so in case that is destroyed, the SfxOfficeDispatch must clear its pointers. It looks like the member pointers are checked before access already everywhere, so just listen at the SfxViewFrame. Change-Id: If08825734e94dd54e32cb77546684fd583c336ec Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118162 Tested-by: Michael Stahl <[email protected]> Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 7cbd6d768d282077053c354254315f3dc89bf254) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118176 Tested-by: Jenkins diff --git a/framework/qa/cppunit/data/empty.fodp b/framework/qa/cppunit/data/empty.fodp new file mode 100644 index 000000000000..3c2a4cf2cda5 --- /dev/null +++ b/framework/qa/cppunit/data/empty.fodp @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8"?> +<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.presentation"><office:body><office:presentation><draw:page/></office:presentation></office:body></office:document> diff --git a/framework/qa/cppunit/dispatchtest.cxx b/framework/qa/cppunit/dispatchtest.cxx index 586c4af3b9b0..2f21a71b005e 100644 --- a/framework/qa/cppunit/dispatchtest.cxx +++ b/framework/qa/cppunit/dispatchtest.cxx @@ -15,6 +15,7 @@ #include <com/sun/star/frame/DispatchHelper.hpp> #include <com/sun/star/frame/XDispatchProviderInterceptor.hpp> #include <com/sun/star/frame/XInterceptorInfo.hpp> +#include <com/sun/star/util/URLTransformer.hpp> #include <comphelper/processfactory.hxx> #include <rtl/ref.hxx> @@ -199,6 +200,37 @@ CPPUNIT_TEST_FIXTURE(DispatchTest, testInterception) // This was 1: MyInterceptor::queryDispatch() was called for .uno:Italic. CPPUNIT_ASSERT_EQUAL(0, pInterceptor->getUnexpected()); } + +constexpr OUStringLiteral DATA_DIRECTORY = u"/framework/qa/cppunit/data/"; + +CPPUNIT_TEST_FIXTURE(DispatchTest, testSfxOfficeDispatchDispose) +{ + // this test doesn't work with a new document because of aURL.Main check in SfxBaseController::dispatch() + mxComponent = loadFromDesktop(m_directories.getURLFromSrc(DATA_DIRECTORY) + "empty.fodp", + "com.sun.star.presentation.PresentationDocument"); + uno::Reference<frame::XModel> xModel(mxComponent, uno::UNO_QUERY); + CPPUNIT_ASSERT(xModel.is()); + uno::Reference<frame::XController> xController(xModel->getCurrentController()); + CPPUNIT_ASSERT(xController.is()); + uno::Reference<frame::XDispatchProvider> xFrame(xController->getFrame(), uno::UNO_QUERY); + CPPUNIT_ASSERT(xFrame.is()); + + uno::Reference<util::XURLTransformer> xParser(util::URLTransformer::create(mxComponentContext)); + util::URL url; + url.Complete = xModel->getURL() + "#dummy"; + xParser->parseStrict(url); + + uno::Reference<frame::XDispatch> xDisp(xFrame->queryDispatch(url, "", 0)); + CPPUNIT_ASSERT(xDisp.is()); + + mxComponent->dispose(); + + util::URL urlSlot; + urlSlot.Complete = "slot:5598"; + xParser->parseStrict(urlSlot); + // crashed with UAF + xDisp->dispatch(urlSlot, {}); +} } CPPUNIT_PLUGIN_IMPLEMENT(); diff --git a/sfx2/inc/unoctitm.hxx b/sfx2/inc/unoctitm.hxx index c180150325cc..7f6bf815e1f9 100644 --- a/sfx2/inc/unoctitm.hxx +++ b/sfx2/inc/unoctitm.hxx @@ -25,6 +25,7 @@ #include <cppuhelper/interfacecontainer.hxx> #include <cppuhelper/weakref.hxx> +#include <svl/lstner.hxx> #include <sfx2/ctrlitem.hxx> #include <osl/mutex.hxx> @@ -101,7 +102,9 @@ public: SfxDispatcher* GetDispatcher_Impl(); }; -class SfxDispatchController_Impl : public SfxControllerItem +class SfxDispatchController_Impl + : public SfxControllerItem + , public SfxListener { css::util::URL aDispatchURL; SfxDispatcher* pDispatcher; @@ -126,6 +129,8 @@ public: const css::util::URL& rURL ); virtual ~SfxDispatchController_Impl() override; + virtual void Notify(SfxBroadcaster& rBC, const SfxHint& rHint) override; + static OUString getSlaveCommand( const css::util::URL& rURL ); void StateChanged( sal_uInt16 nSID, SfxItemState eState, const SfxPoolItem* pState, SfxSlotServer const * pServ ); diff --git a/sfx2/source/control/unoctitm.cxx b/sfx2/source/control/unoctitm.cxx index 6228266abeb6..10e759e1eede 100644 --- a/sfx2/source/control/unoctitm.cxx +++ b/sfx2/source/control/unoctitm.cxx @@ -321,6 +321,27 @@ SfxDispatchController_Impl::SfxDispatchController_Impl( BindInternal_Impl( nSlot, pBindings ); pBindings->LEAVEREGISTRATIONS(); } + assert(pDispatcher); + assert(SfxApplication::Get()->GetAppDispatcher_Impl() == pDispatcher + || pDispatcher->GetFrame() != nullptr); + if (pDispatcher->GetFrame()) + { + StartListening(*pDispatcher->GetFrame()); + } + else + { + StartListening(*SfxApplication::Get()); + } +} + +void SfxDispatchController_Impl::Notify(SfxBroadcaster& rBC, SfxHint const& rHint) +{ + if (rHint.GetId() == SfxHintId::Dying) + { // both pBindings and pDispatcher are dead if SfxViewFrame is dead + pBindings = nullptr; + pDispatcher = nullptr; + EndListening(rBC); + } } SfxDispatchController_Impl::~SfxDispatchController_Impl() _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
