editeng/source/editeng/impedit2.cxx | 13 ++++++++++++- sfx2/source/doc/objmisc.cxx | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-)
New commits: commit 757435b250e9c1ecb5cf71906869348aecee2ed2 Author: Miklos Vajna <[email protected]> AuthorDate: Fri Jan 30 13:08:27 2026 +0100 Commit: Ilmari Lauhakangas <[email protected]> CommitDate: Thu Feb 12 20:52:56 2026 +0100 editeng: fix crash in ImpEditEngine::GetXPos() gdb backtrace on the core file from the crashreport: #5 0x0000000000afc0ee in std::__glibcxx_assert_fail(char const*, int, char const*, char const*) () #6 0x00007078315a78ff in std::vector<double, std::allocator<double> >::operator[] (this=<optimized out>, __n=<optimized out>) at /opt/rh/devtoolset-12/root/usr/include/c++/12/bits/stl_vector.h:1140 #7 std::vector<double, std::allocator<double> >::operator[] (this=<optimized out>, __n=<optimized out>) at /opt/rh/devtoolset-12/root/usr/include/c++/12/bits/stl_vector.h:1140 #8 ImpEditEngine::GetXPos (this=this@entry=0x3e8745e0, rParaPortion=..., rLine=..., nIndex=-18, bPreferPortionStart=<optimized out>) at editeng/source/editeng/impedit2.cxx:4303 #9 0x00007078315a79f6 in ImpEditEngine::GetEditCursor (this=this@entry=0x3e8745e0, rPortion=..., rLine=..., nIndex=<optimized out>, aFlags=aFlags@entry=...) at editeng/source/editeng/impedit2.cxx:3113 and: #8 ImpEditEngine::GetXPos (this=this@entry=0x3e8745e0, rParaPortion=..., rLine=..., nIndex=-18, bPreferPortionStart=<optimized out>) at editeng/source/editeng/impedit2.cxx:4303 4303 nPortionTextWidth = rLine.GetCharPosArray()[nTextPortionStart + rPortion.GetLen() - 1 - rLine.GetStart()]; (gdb) print rLine.maPositions $1 = std::vector of length 1, capacity 1 = {171.307373046875} (gdb) print nTextPortionStart $2 = 0 (gdb) print rPortion $3 = (const TextPortion &) @0x3b3cc250: {xExtraInfos = std::unique_ptr<ExtraPortionInfo> = {get() = 0x0}, nLen = 38, aOutSz = {<SizeTemplate<Size>> = {<SizeTemplateBase> = {<Pair> = { mnA = 5661, mnB = 344}, <No data fields>}, <No data fields>}, <No data fields>}, nKind = PortionKind::TEXT, nRightToLeftLevel = 0 ' (gdb) print rLine $4 = (const EditLine &) @0x3e968420: {maPositions = std::vector of length 1, capacity 1 = {171.307373046875}, maKashidaPositions = std::vector of length 0, capacity 0, mnTextWidth = 171, mnStartPosX = 3443, mnNextLinePosXDiff = 0, mnStart = 39, mnEnd = 40, mnStartPortion = 2, mnEndPortion = 2, mnHeight = 344, mnTextHeight = 344, mnMaxAscent = 265, mbHangingPunctuation = false, mbInvalid = true} Seeing nPortionTextWidth is updated conditionally, also require to only update if the array index would be inside the array bounds. Change-Id: I98adbc55187f0221534bc358755e51160cdb992b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/198436 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins (cherry picked from commit d7c2f3dfe78c91cb7610cc71545f822481235595) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/198439 Reviewed-by: Adolfo Jayme Barrientos <[email protected]> (cherry picked from commit f7a0346e41ecad5f2e738264c22c38e06cf9c9c6) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/199078 Reviewed-by: Xisco Fauli <[email protected]> Tested-by: Ilmari Lauhakangas <[email protected]> Reviewed-by: Dan Williams <[email protected]> Reviewed-by: Ilmari Lauhakangas <[email protected]> diff --git a/editeng/source/editeng/impedit2.cxx b/editeng/source/editeng/impedit2.cxx index 5ce813b2d8f7..d4ac8c4b7f77 100644 --- a/editeng/source/editeng/impedit2.cxx +++ b/editeng/source/editeng/impedit2.cxx @@ -4534,7 +4534,18 @@ tools::Long ImpEditEngine::GetXPos(ParaPortion const& rParaPortion, EditLine con // But the array might not be init yet, if using text ranger this method is called within CreateLines()... tools::Long nPortionTextWidth = rPortion.GetSize().Width(); if ( ( rPortion.GetKind() == PortionKind::TEXT ) && rPortion.GetLen() && !GetTextRanger() ) - nPortionTextWidth = rLine.GetCharPosArray()[nTextPortionStart + rPortion.GetLen() - 1 - rLine.GetStart()]; + { + sal_Int32 nCharPosArrayIndex = nTextPortionStart + rPortion.GetLen() - 1 - rLine.GetStart(); + if (nCharPosArrayIndex >= 0 + && o3tl::make_unsigned(nCharPosArrayIndex) < rLine.GetCharPosArray().size()) + { + nPortionTextWidth = rLine.GetCharPosArray()[nCharPosArrayIndex]; + } + else + { + SAL_WARN("editeng", "ImpEditEngine::GetXPos: out of bounds access to rLine.GetCharPosArray()"); + } + } if ( nTextPortionStart != nIndex ) { commit 5429e5bc42495f558e9c52c2084ca3d6f8ce1549 Author: Miklos Vajna <[email protected]> AuthorDate: Thu Jan 29 09:54:57 2026 +0100 Commit: Ilmari Lauhakangas <[email protected]> CommitDate: Thu Feb 12 20:52:42 2026 +0100 sfx2: fix crash in SfxObjectShell::PostActivateEvent_Impl() gdb backtrace on the core file from the crashreport: #0 0x00007078323c6c4e in std::__shared_ptr<SfxItemSet, (__gnu_cxx::_Lock_policy)2>::operator bool (this=<optimized out>) at /opt/rh/devtoolset-12/root/usr/include/c++/12/bits/shared_ptr_base.h:1670 #1 SfxMedium::GetItemSet (this=0x0) at sfx2/source/doc/docfile.cxx:3840 #2 0x0000707832428792 in SfxObjectShell::PostActivateEvent_Impl (this=0x3e357de0, pFrame=pFrame@entry=0x427b7460) at sfx2/source/doc/objmisc.cxx:933 #3 0x0000707832214661 in SfxApplication::SetViewFrame_Impl (this=0x3c0a39d0, pFrame=pFrame@entry=0x427b7460) at sfx2/source/appl/app.cxx:273 #4 0x000070783254804f in SfxViewFrame::SetViewFrame (pFrame=0x427b7460) at sfx2/source/view/viewfrm.cxx:3735 and: #2 0x0000707832428792 in SfxObjectShell::PostActivateEvent_Impl (this=0x3e357de0, pFrame=pFrame@entry=0x427b7460) at sfx2/source/doc/objmisc.cxx:933 933 const SfxBoolItem* pHiddenItem = pMedium->GetItemSet().GetItem(SID_HIDDEN, false); (gdb) print pMedium $1 = (SfxMedium *) 0x0 Assume that no medium means the same as medium having no hiddem item. Change-Id: I6295cfd90d2a3d529fa5e915983578e6768a2244 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/198357 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins (cherry picked from commit 01d66be56971875a690f3e698093492e39485efa) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/198403 Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit 6dbb577716acfcc909d4368109c5d95853bccb4d) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/199079 Reviewed-by: Dan Williams <[email protected]> Tested-by: Ilmari Lauhakangas <[email protected]> Reviewed-by: Ilmari Lauhakangas <[email protected]> diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index a0296194e807..c41a9ba29ec7 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -930,7 +930,7 @@ void SfxObjectShell::PostActivateEvent_Impl( SfxViewFrame const * pFrame ) if ( pSfxApp->IsDowning() || IsLoading() || !pFrame || pFrame->GetFrame().IsClosing_Impl() ) return; - const SfxBoolItem* pHiddenItem = pMedium->GetItemSet().GetItem(SID_HIDDEN, false); + const SfxBoolItem* pHiddenItem = pMedium ? pMedium->GetItemSet().GetItem(SID_HIDDEN, false) : nullptr; if ( !pHiddenItem || !pHiddenItem->GetValue() ) { SfxEventHintId nId = pImpl->nEventId;
