svx/source/svdraw/svdmodel.cxx | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
New commits:
commit 6362c905cf19f2f6cb67bf634091b14c2a8e90ec
Author: Mike Kaganski <mike.kagan...@collabora.com>
AuthorDate: Fri Jul 23 17:35:45 2021 +0200
Commit: Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Fri Jul 23 20:06:49 2021 +0200
tdf#143514: Avoid double-free in dbgutil code
SdrObject::Free may start a chain of deletions, removing more
than one object from maAllIncarnatedObjects. Trying to free
them for the second time after that would lead to crash.
Change-Id: I8648b05d167acecb2799ecf165c387721528a11a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119433
Tested-by: Mike Kaganski <mike.kagan...@collabora.com>
Reviewed-by: Mike Kaganski <mike.kagan...@collabora.com>
diff --git a/svx/source/svdraw/svdmodel.cxx b/svx/source/svdraw/svdmodel.cxx
index f46a34eaf6ec..7dcc8110faa4 100644
--- a/svx/source/svdraw/svdmodel.cxx
+++ b/svx/source/svdraw/svdmodel.cxx
@@ -197,13 +197,13 @@ SdrModel::~SdrModel()
if(!maAllIncarnatedObjects.empty())
{
SAL_WARN("svx","SdrModel::~SdrModel: Not all incarnations of
SdrObjects deleted, possible memory leak (!)");
- // copy to std::vector - calling SdrObject::Free will change
maAllIncarnatedObjects
- const std::vector< const SdrObject* >
maRemainingObjects(maAllIncarnatedObjects.begin(),
maAllIncarnatedObjects.end());
- for(auto pSdrObject : maRemainingObjects)
+ // calling SdrObject::Free will change maAllIncarnatedObjects, and
potentially remove more
+ // than one - do not copy to another container, to not try to free
already removed object.
+ do
{
- SdrObject* pCandidate(const_cast<SdrObject*>(pSdrObject));
+ SdrObject*
pCandidate(const_cast<SdrObject*>(*maAllIncarnatedObjects.begin()));
SdrObject::Free(pCandidate);
- }
+ } while (!maAllIncarnatedObjects.empty());
}
#endif
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
