Steps: 1. Open Writer 2. Insert > Shape > Basic shape > Rectangle 3. Right-click on shape > Add text box 4. Write some text in the text box 5. Right-click > Remove text box Result: crash. Note that this does not happen for a diamond shape. If run from a console, this warning is shown when adding the textbox: warn:sw.core:75044:75044:sw/source/core/doc/textboxhelper.cxx:925: SwTextBoxHelper::syncProperty: unhandled which-id: 123 (member-id: 0) Crash reproduced in: Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 579d144290c1617fdb38d09b30900a6bbe390b8d CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: fr-FR (en_AU.UTF-8); UI: en-US Calc: threaded Version: 7.5.0.1 (X86_64) / LibreOffice Community Build ID: 77cd3d7ad4445740a0c6cf977992dafd8ebad8df CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded But not in: Version: 7.4.4.2 / LibreOffice Community Build ID: 85569322deea74ec9134968a29af2df5663baa21 CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded Not reproduced with gen, kf5 or qt5 VLCs. Not reproduced on Windows 10 at all.
I can reproduce #0 SwFrame::IsTextFrame() const (this=0x0) at sw/source/core/inc/frame.hxx:1236 #1 0x00007fffa8dcb865 in sw::FrameContainsNode(SwContentFrame const&, o3tl::strong_int<int, Tag_SwNodeOffset>) (rFrame=..., nNodeIndex=...) at sw/source/core/text/txtfrm.cxx:292 #2 0x00007fffa82c9fd4 in SwCursorShell::GetSelText() const (this=0x5509470) at sw/source/core/crsr/crsrsh.cxx:2565 #3 0x00007fffa89017f0 in SwEditShell::GetSelectedText(rtl::OUString&, ParaBreakType) (this=0x5509470, rBuf="", nHndlParaBrk=ParaBreakType::ToOnlyCR) at sw/source/core/edit/edglss.cxx:264 #4 0x00007fffa97e19a7 in SwEditWin::GetSurroundingText() const (this=0x4f1a9f0) at sw/source/uibase/docvw/edtwin.cxx:6628 #5 0x00007fffee27cf02 in ImplHandleSurroundingTextRequest(vcl::Window*, rtl::OUString&, Selection&) (pWindow=0x1fe43f0, rText="", rSelRange=...) at vcl/source/window/winproc.cxx:2544 #6 0x00007fffee27adf7 in ImplHandleSalSurroundingTextRequest(vcl::Window*, SalSurroundingTextRequestEvent*) (pWindow=0x1fe43f0, pEvt=0x7fffffffb970) at vcl/source/window/winproc.cxx:2555 #7 0x00007fffee276ed6 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (_pWindow=0x1fe43f0, nEvent=SalEvent::SurroundingTextRequest, pEvent=0x7fffffffb970) at vcl/source/window/winproc.cxx:2884 #8 0x00007fffe6ee3080 in SalFrame::CallCallback(SalEvent, void const*) const (this=0x1898310, nEvent=SalEvent::SurroundingTextRequest, pEvent=0x7fffffffb970) at vcl/inc/salframe.hxx:306 callback from the input engine to try and get "surrounding text"
https://gerrit.libreoffice.org/c/core/+/145872
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/6e19fdb771ada47a2e90e2e80ba31e2a6aa8e72e Resolves: tdf#153116 null-ptr-deref in get-surrounding-text It will be available in 7.6.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-4": https://git.libreoffice.org/core/commit/a8d70435eeeadf73b24dbb9fa035935b9da7ad4e Resolves: tdf#153116 null-ptr-deref in get-surrounding-text It will be available in 7.4.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Verified fix with: Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: ff496c663904d97567f1876b2d9b758131f71be8 CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded Thanks Caolán!
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5": https://git.libreoffice.org/core/commit/06d106ddb8f34d98018bf4a169d200cd1257f6aa Resolves: tdf#153116 null-ptr-deref in get-surrounding-text It will be available in 7.5.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
7.4.5 was a hotfix release, updating target in status-whiteboard
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5-0": https://git.libreoffice.org/core/commit/faa3ef712fc745774914d1f409877589551926bc Resolves: tdf#153116 null-ptr-deref in get-surrounding-text It will be available in 7.5.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.