sw/source/core/layout/findfrm.cxx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
New commits: commit 734a14a55079ff514a0c433a1d8723d8d7960fe2 Author: Andras Timar <[email protected]> AuthorDate: Sun Mar 1 17:54:27 2026 +0100 Commit: Miklos Vajna <[email protected]> CommitDate: Mon Mar 2 15:02:40 2026 +0100 Fix SIGSEGV in lcl_FindCorrespondingCellFrame with mismatched cell counts When a table splits across pages, lcl_FindCorrespondingCellFrame walks the cells of the original row and the corresponding row in lockstep. If the corresponding row has fewer cells (e.g. during partially constructed layout at document load), pCorrCell becomes null while pCell is still iterating, and pCorrCell->GetNext() dereferences null (SIGSEGV at address 0xb8, the offset of mpNext in SwFrame). Add a null guard for pCorrCell in the loop and bail out early if either pointer is null after the loop. Change-Id: Idcd64bbb0aeef8de0dcf3957c120ca13d81d6792 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200722 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/sw/source/core/layout/findfrm.cxx b/sw/source/core/layout/findfrm.cxx index 99c625a9cfc5..7684add72c3e 100644 --- a/sw/source/core/layout/findfrm.cxx +++ b/sw/source/core/layout/findfrm.cxx @@ -1716,11 +1716,14 @@ static SwCellFrame* lcl_FindCorrespondingCellFrame( const SwRowFrame& rOrigRow, while ( pCell != &rOrigCell && !pCell->IsAnLower( &rOrigCell ) ) { pCell = static_cast<const SwCellFrame*>(pCell->GetNext()); - pCorrCell = static_cast<SwCellFrame*>(pCorrCell->GetNext()); + pCorrCell = static_cast<SwCellFrame*>(pCorrCell ? pCorrCell->GetNext() : nullptr); } assert(pCell && pCorrCell && "lcl_FindCorrespondingCellFrame does not work"); + if ( !pCell || !pCorrCell ) + return nullptr; + if ( pCell != &rOrigCell ) { // rOrigCell must be a lower of pCell. We need to recurse into the rows:
