Apache OpenOffice (AOO) Bugzilla – Issue 109743
editengine: crash when dragging slide over an active text engine
Last modified: 2010-06-17 20:28:13 UTC
This is marvellously difficult to reproduce, but I managed it once or twice by luck under valgrind with random drags of an impress slide from one presentation into/over/around an active text engine in another presentation. I had added printfs to print ImpEditView::dragOver and ImpEditView::dragEnter when those methods were called and attached is the output and valgrind trace. Somehow it seems to be possible for dragOver to be called without a previous dragEnter and a comment along the lines of // #123688# Shouldn't happen, but seems to happen... if ( pDragAndDropInfo ) ... suggests that scenario has occurred in the past in a similar method. valgrind trace is... SelectionManager::sendDropPosition ImpEditView::dragOver ==14339== Thread 6: ==14339== Invalid read of size 1 ==14339== at 0x199470C3: ImpEditView::dragOver(com::sun::star::datatransfer::dnd::DropTargetDragEvent const&) (impedit.cxx:1986) ==14339== by 0x7B7F291: DNDListenerContainer::fireDragOverEvent(com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDragContext> const&, signed char, int, int, signed char) (dndlcon.cxx:306) ==14339== by 0x7B7D5B8: DNDEventDispatcher::fireDragOverEvent(Window*, com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDragContext> const&, signed char, Point const&, signed char) (dndevdis.cxx:421) ==14339== by 0x7B7D7AA: DNDEventDispatcher::dragOver(com::sun::star::datatransfer::dnd::DropTargetDragEvent const&) (dndevdis.cxx:232) ==14339== by 0x11159D54: x11::DropTarget::dragOver(com::sun::star::datatransfer::dnd::DropTargetDragEvent const&) (X11_droptarget.cxx:194) ==14339== by 0x1114969C: x11::SelectionManager::sendDropPosition(bool, unsigned long) (X11_selection.cxx:2543) ==14339== by 0x1114FD61: x11::SelectionManager::handleDragEvent(_XEvent&) (X11_selection.cxx:2710) ==14339== by 0x1115272A: x11::SelectionManager::handleXEvent(_XEvent&) (X11_selection.cxx:3647) ==14339== by 0x11152C07: x11::SelectionManager::dispatchEvent(int) (X11_selection.cxx:3689) ==14339== by 0x11152DDD: x11::SelectionManager::run(void*) (X11_selection.cxx:3721) ==14339== by 0x4C38A8B: osl_thread_start_Impl (thread.c:269) ==14339== by 0x3B72E06CA9: start_thread (pthread_create.c:297) ==14339== Address 0x80 is not stack'd, malloc'd or (recently) free'd ==14339== ==14339== ==14339== Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 68112 [details] make more secure in face of omitted dragEnter
So attached patch makes the editengine not freak out and die if a dragOver is called without a previous dragEnter
Created attachment 68113 [details] svx.safedrags.patch applies to old 3.2.0 location, this one applies to new 3.3.0 editengine module
tl's been appointed editengine patch owner, so reassigning :-)
Setting target to OOo 3.3. tl->cmc: Thanks for the patch. ^_^
Fixed in CWS tl80.
tl->cmc: please verify (probably in source code only though). Thanks!
verified, more secure now
closing, integrated