tdf#112311 oox: fix UAF of std::shared_ptr

OOXMLFastContextHandlerShape::sendShape() deletes the parent context's ShapeTypeContext::mrTypeModel. It looks like the sendShape() can't be delayed because writerfilter wants to import the v:textbox content into a text frame. Keep the shape alive until the end of the containing context. Not sure if it's going to process the v:fill element properly, but at lest valgrind is happy. (probably regression from CWS writerfilter32bugfixes01) Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0

tdf#112311 oox: fix UAF of std::shared_ptr
OOXMLFastContextHandlerShape::sendShape() deletes the parent context's ShapeTypeContext::mrTypeModel. It looks like the sendShape() can't be delayed because writerfilter wants to import the v:textbox content into a text frame. Keep the shape alive until the end of the containing context. Not sure if it's going to process the v:fill element properly, but at lest valgrind is happy. (probably regression from CWS writerfilter32bugfixes01) Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0
88c84e71 · Michael Stahl · b5368c91 · 88c84e71 · 88c84e71 · 88c84e71
Kaydet (Commit) 88c84e71 authored Eyl 13, 2017 tarafından Michael Stahl
4 changed files
--- a/include/oox/vml/vmlshapecontainer.hxx
+++ b/include/oox/vml/vmlshapecontainer.hxx
@@ -61,10 +61,10 @@ public:
    Drawing&     getDrawing() { return mrDrawing; }
    /** Creates and returns a new shape template object. */
-    ShapeType&          createShapeType();
+    std::shared_ptr<ShapeType> createShapeType();
    /** Creates and returns a new shape object of the specified type. */
    template< typename ShapeT >
-    ShapeT&             createShape();
+    std::shared_ptr<ShapeT> createShape();
    /** Final processing after import of the drawing fragment. */
    void                finalizeFragmentImport();
@@ -123,11 +123,11 @@ private:
 template< typename ShapeT >
-ShapeT& ShapeContainer::createShape()
+std::shared_ptr<ShapeT> ShapeContainer::createShape()
 {
    std::shared_ptr< ShapeT > xShape( new ShapeT( mrDrawing ) );
    maShapes.push_back( xShape );
-    return *xShape;
+    return xShape;
 }
 template< typename Functor >

--- a/include/oox/vml/vmlshapecontext.hxx
+++ b/include/oox/vml/vmlshapecontext.hxx
@@ -99,7 +99,7 @@ class ShapeTypeContext : public ShapeContextBase
 public:
    explicit            ShapeTypeContext(
                            ::oox::core::ContextHandler2Helper const & rParent,
-                            ShapeType& rShapeType,
+                            std::shared_ptr<ShapeType> const& pShapeType,
                            const AttributeList& rAttribs );
    virtual ::oox::core::ContextHandlerRef
@@ -113,6 +113,7 @@ private:
    OptValue< OUString > decodeFragmentPath( const AttributeList& rAttribs, sal_Int32 nToken ) const;
 private:
+    std::shared_ptr<ShapeType> m_pShapeType;
    ShapeTypeModel&     mrTypeModel;
 };
@@ -122,7 +123,7 @@ class ShapeContext : public ShapeTypeContext
 public:
    explicit            ShapeContext(
                            ::oox::core::ContextHandler2Helper const & rParent,
-                            ShapeBase& rShape,
+                            std::shared_ptr<ShapeBase> pShape,
                            const AttributeList& rAttribs );
    virtual ::oox::core::ContextHandlerRef
@@ -155,7 +156,7 @@ class GroupShapeContext : public ShapeContext
 public:
    explicit            GroupShapeContext(
                            ::oox::core::ContextHandler2Helper const & rParent,
-                            GroupShape& rShape,
+                            std::shared_ptr<GroupShape> pShape,
                            const AttributeList& rAttribs );
    virtual ::oox::core::ContextHandlerRef
@@ -172,7 +173,7 @@ public:
    explicit            RectangleShapeContext(
                            ::oox::core::ContextHandler2Helper const & rParent,
                            const AttributeList& rAttribs,
-                            RectangleShape& rShape );
+                            std::shared_ptr<RectangleShape> pShape);
    virtual ::oox::core::ContextHandlerRef
                        onCreateContext( sal_Int32 nElement, const AttributeList& rAttribs ) override;

--- a/oox/source/vml/vmlshapecontainer.cxx
+++ b/oox/source/vml/vmlshapecontainer.cxx
@@ -59,11 +59,11 @@ ShapeContainer::~ShapeContainer()
 {
 }
-ShapeType& ShapeContainer::createShapeType()
+std::shared_ptr<ShapeType> ShapeContainer::createShapeType()
 {
    std::shared_ptr< ShapeType > xShape( new ShapeType( mrDrawing ) );
    maTypes.push_back( xShape );
-    return *xShape;
+    return xShape;
 }
 void ShapeContainer::finalizeFragmentImport()

--- a/oox/source/vml/vmlshapecontext.cxx
+++ b/oox/source/vml/vmlshapecontext.cxx
@@ -269,9 +269,12 @@ ContextHandlerRef ShapeContextBase::createShapeContext( ContextHandler2Helper co
    return nullptr;
 }
-ShapeTypeContext::ShapeTypeContext( ContextHandler2Helper const & rParent, ShapeType& rShapeType, const AttributeList& rAttribs ) :
+ShapeTypeContext::ShapeTypeContext(ContextHandler2Helper const & rParent,
-    ShapeContextBase( rParent ),
+        std::shared_ptr<ShapeType> const& pShapeType,
-    mrTypeModel( rShapeType.getTypeModel() )
+        const AttributeList& rAttribs)
+    : ShapeContextBase(rParent)
+    , m_pShapeType(pShapeType) // tdf#112311 keep it alive
+    , mrTypeModel( pShapeType->getTypeModel() )
 {
    // shape identifier and shape name
    bool bHasOspid = rAttribs.hasAttribute( O_TOKEN( spid ) );
@@ -444,10 +447,11 @@ void ShapeTypeContext::setStyle( const OUString& rStyle )
    }
 }
-ShapeContext::ShapeContext( ContextHandler2Helper const & rParent, ShapeBase& rShape, const AttributeList& rAttribs ) :
+ShapeContext::ShapeContext(ContextHandler2Helper const & rParent,
-    ShapeTypeContext( rParent, rShape, rAttribs ),
+        std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs)
-    mrShape( rShape ),
+    : ShapeTypeContext( rParent, pShape, rAttribs )
-    mrShapeModel( rShape.getShapeModel() )
+    , mrShape( *pShape )
+    , mrShapeModel( pShape->getShapeModel() )
 {
    // collect shape specific attributes
    mrShapeModel.maType = rAttribs.getXString( XML_type, OUString() );
@@ -534,9 +538,10 @@ void ShapeContext::setVmlPath( const OUString& rPath )
        mrShapeModel.maVmlPath = rPath;
 }
-GroupShapeContext::GroupShapeContext( ContextHandler2Helper const & rParent, GroupShape& rShape, const AttributeList& rAttribs ) :
+GroupShapeContext::GroupShapeContext(ContextHandler2Helper const & rParent,
-    ShapeContext( rParent, rShape, rAttribs ),
+        std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs)
-    mrShapes( rShape.getChildren() )
+    : ShapeContext( rParent, pShape, rAttribs )
+    , mrShapes( pShape->getChildren() )
 {
 }
@@ -548,8 +553,9 @@ ContextHandlerRef GroupShapeContext::onCreateContext( sal_Int32 nElement, const
    return xContext.get() ? xContext : ShapeContext::onCreateContext( nElement, rAttribs );
 }
-RectangleShapeContext::RectangleShapeContext( ContextHandler2Helper const & rParent, const AttributeList& rAttribs, RectangleShape& rShape ) :
+RectangleShapeContext::RectangleShapeContext(ContextHandler2Helper const & rParent,
-    ShapeContext( rParent, rShape, rAttribs )
+        const AttributeList& rAttribs, std::shared_ptr<RectangleShape> pShape)
+    : ShapeContext( rParent, pShape, rAttribs )
 {
 }