comphelper/source/streaming/seqoutputstreamserv.cxx | 3 ++- sw/source/core/txtnode/fntcache.cxx | 5 ++--- 2 files changed, 4 insertions(+), 4 deletions(-)
New commits: commit 03e8e1a408eef3c8acc5545416eda9d0938e21f7 Author: Michael Stahl <[email protected]> AuthorDate: Thu Jan 20 12:48:50 2022 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Thu Jan 20 14:59:41 2022 +0100 comphelper: fix UAF in SequenceOutputStreamService dtor Change-Id: I91f77ee9ab4d509ebee3d04f94a3c63986de0ef1 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128657 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> diff --git a/comphelper/source/streaming/seqoutputstreamserv.cxx b/comphelper/source/streaming/seqoutputstreamserv.cxx index d70377d70f48..19ef79002978 100644 --- a/comphelper/source/streaming/seqoutputstreamserv.cxx +++ b/comphelper/source/streaming/seqoutputstreamserv.cxx @@ -62,8 +62,9 @@ private: std::mutex m_aMutex; - uno::Reference< io::XOutputStream > m_xOutputStream; + // WARNING: dtor of m_xOutputStream writes into m_aSequence so that must live longer! uno::Sequence< ::sal_Int8 > m_aSequence; + uno::Reference< io::XOutputStream > m_xOutputStream; }; SequenceOutputStreamService::SequenceOutputStreamService() { commit 1499ba1213f353238ee4c5acfb4fc626c5f37ca6 Author: Caolán McNamara <[email protected]> AuthorDate: Thu Jan 20 12:19:52 2022 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Thu Jan 20 14:59:27 2022 +0100 Revert "can use the glyphcache for this GetTextArray call" nothing wrong with this commit, but there's a an underlying bug in the direction I wanted to go here. This reverts commit 5fc43fe24c24c58e401707fa6fffe9250186b99c. Change-Id: Id670d9331cf41a0d2dcc2a74792c1aa7db4ec284 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128661 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> diff --git a/sw/source/core/txtnode/fntcache.cxx b/sw/source/core/txtnode/fntcache.cxx index f40072e26b8d..cb68f6535635 100644 --- a/sw/source/core/txtnode/fntcache.cxx +++ b/sw/source/core/txtnode/fntcache.cxx @@ -2091,13 +2091,11 @@ Size SwFntObj::GetTextSize( SwDrawTextInfo& rInf ) { if( !m_pPrtFont->IsSameInstance( rInf.GetOut().GetFont() ) ) rInf.GetOut().SetFont( *m_pPrtFont ); - SwTextGlyphsKey aGlyphsKey{ &rInf.GetOut(), rInf.GetText(), sal_Int32(rInf.GetIdx()), sal_Int32(nLn) }; if( bCompress ) { std::vector<sal_Int32> aKernArray; - SalLayoutGlyphs* pGlyphs = GetCachedSalLayoutGlyphs(aGlyphsKey); rInf.GetOut().GetTextArray( rInf.GetText(), &aKernArray, - sal_Int32(rInf.GetIdx()), sal_Int32(nLn), nullptr, pGlyphs); + sal_Int32(rInf.GetIdx()), sal_Int32(nLn)); rInf.SetKanaDiff( rInf.GetScriptInfo()->Compress( aKernArray.data(), rInf.GetIdx(), nLn, rInf.GetKanaComp(), o3tl::narrowing<sal_uInt16>(m_aFont.GetFontSize().Height()) ,lcl_IsFullstopCentered( rInf.GetOut() ) ) ); @@ -2105,6 +2103,7 @@ Size SwFntObj::GetTextSize( SwDrawTextInfo& rInf ) } else { + SwTextGlyphsKey aGlyphsKey{ &rInf.GetOut(), rInf.GetText(), sal_Int32(rInf.GetIdx()), sal_Int32(nLn) }; aTextSize.setWidth( GetCachedTextWidth(aGlyphsKey, rInf.GetVclCache())); rInf.SetKanaDiff( 0 ); }
