[Libreoffice-commits] core.git: Branch 'libreoffice-7-3' - starmath/source

Tue, 24 May 2022 00:58:36 -0700 

 starmath/source/mathml/iterator.cxx |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

New commits:
commit 4dcc03681395a894adb0179045fc4be2339a1f10
Author:     Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Sun May 22 14:50:55 2022 +0200
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Tue May 24 09:57:54 2022 +0200

    starmath: fix real use-after-free detected by GCC 12
    
    In file included from starmath/inc/mathml/iterator.hxx:12,
                     from starmath/source/mathml/iterator.cxx:10:
    In member function ‘SmMlElement* SmMlElement::getParentElement()’,
        inlined from ‘void mathml::SmMlIteratorBottomToTop(SmMlElement*, 
runType, void*) [with runType = void (*)(SmMlElement*, void*)]’ at 
starmath/inc/mathml/iterator.hxx:43:39,
        inlined from ‘void mathml::SmMlIteratorFree(SmMlElement*)’ at 
starmath/source/mathml/iterator.cxx:57:28:
    starmath/inc/mathml/element.hxx:263:46: error: pointer ‘pCurrent’ used 
after ‘void operator delete(void*, std::size_t)’ [-Werror=use-after-free]
      263 |     SmMlElement* getParentElement() { return m_aParentElement; };
          |                                              ^~~~~~~~~~~~~~~~
    In function ‘void mathml::deleteElement(SmMlElement*, void*)’,
        inlined from ‘void mathml::deleteElement(SmMlElement*, void*)’ at 
starmath/source/mathml/iterator.cxx:19:20,
        inlined from ‘void mathml::SmMlIteratorBottomToTop(SmMlElement*, 
runType, void*) [with runType = void (*)(SmMlElement*, void*)]’ at 
starmath/inc/mathml/iterator.hxx:65:21,
        inlined from ‘void mathml::SmMlIteratorFree(SmMlElement*)’ at 
starmath/source/mathml/iterator.cxx:57:28:
    starmath/source/mathml/iterator.cxx:19:77: note: call to ‘void operator 
delete(void*, std::size_t)’ here
       19 | static inline void deleteElement(SmMlElement* aSmMlElement, void*) 
{ delete aSmMlElement; }
          |                                                                     
        ^~~~~~~~~~~~
    
    Change-Id: I09acfe3f7e90bd7f919cfba161f72bdd7a8da70a
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134742
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 32c43ee75c094ffe3c34f7a713aa252479515ad0)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134775
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/starmath/source/mathml/iterator.cxx 
b/starmath/source/mathml/iterator.cxx
index 481ff799689c..489cbe8ebc05 100644
--- a/starmath/source/mathml/iterator.cxx
+++ b/starmath/source/mathml/iterator.cxx
@@ -56,7 +56,11 @@ void SmMlIteratorFree(SmMlElement* pMlElementTree)
 {
     if (pMlElementTree == nullptr)
         return;
-    SmMlIteratorBottomToTop(pMlElementTree, deleteElement, nullptr);
+    for (size_t i = 0; i < pMlElementTree->getSubElementsCount(); ++i)
+    {
+        SmMlIteratorFree(pMlElementTree->getSubElement(i));
+    }
+    deleteElement(pMlElementTree, nullptr);
 }
 
 SmMlElement* SmMlIteratorCopy(SmMlElement* pMlElementTree)

Reply via email to