Bug 153519 - heap-use-after-free involving SwContentTree::m_aUpdTimer during UITest_sw_navigator
Summary: heap-use-after-free involving SwContentTree::m_aUpdTimer during UITest_sw_nav...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Stephan Bergmann
URL:
Whiteboard: target:7.6.0 target:24.2.0 target:7.6.3
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-10 12:11 UTC by Stephan Bergmann
Modified: 2024-01-09 13:38 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2023-02-10 12:11:00 UTC 
UITest_sw_navigator UITEST_TEST_NAME=tdf151051.tdf151051.test_tdf151051 occasionally (see e.g. <https://ci.libreoffice.org/job/lo_ubsan/2659/>) fails with

> ======================================================================
> ERROR: test_tdf151051 (tdf151051.tdf151051)
> ----------------------------------------------------------------------
> Traceback (most recent call last):
>   File "uitest/uitest/test.py", line 95, in load_file
>     yield self.load_component_from_url(url)
>   File "sw/qa/uitest/navigator/tdf151051.py", line 41, in test_tdf151051
>     xHeadings.executeAction("EXPAND", tuple())
> tdf151051.com.sun.star.lang.DisposedException: Binary URP bridge disposed during call at binaryurp/source/bridge.cxx:613

With my local Linux ASan+UBSan --enable-dbgutil build on master towards LO 7.6 at 2023-02-09 f121b890f8f70fe2a0e633d3b4ad59c27ebba9b3, doing

> cd sw && while make -rs UITest_sw_navigator; do :; done

while the machine is also loaded with other work done in parallel, I managed to see it fail twice (once after 58 and once after 133 successful attempts) and report

> =================================================================
> ==3401690==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000248c28 at pc 0x7f37120f0163 bp 0x7fff9f5bc110 sp 0x7fff9f5bc108
> READ of size 4 at 0x60f000248c28 thread T0
>  #0 in SvTreeListEntry::HasChildrenOnDemand() const at vcl/source/treelist/treelistentry.cxx:201:30
>  #1 in SvTreeListBox::Expand(SvTreeListEntry*) at vcl/source/treelist/treelistbox.cxx:2040:18
>  #2 in TreeListEntryUIObject::execute(rtl::OUString const&, std::__debug::map<rtl::OUString, rtl::OUString, std::less<rtl::OUString>, std::allocator<std::pair<rtl::OUString const, rtl::OUString>>> const&) at vcl/source/treelist/uiobject.cxx:144:21
>  #3 in UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0::operator()() const at vcl/source/uitest/uno/uiobject_uno.cxx:138:16
>  #4 in void std::__invoke_impl<void, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&>(std::__invoke_other, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:61:14
>  #5 in std::enable_if<is_invocable_r_v<void, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&>, void>::type std::__invoke_r<void, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&>(UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:111:2
>  #6 in std::_Function_handler<void (), UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0>::_M_invoke(std::_Any_data const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:290:9
>  #7 in std::function<void ()>::operator()() const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:591:9
>  #8 in (anonymous namespace)::ExecuteWrapper::ExecuteActionHdl(Timer*) at vcl/source/uitest/uno/uiobject_uno.cxx:103:13
>  #9 in (anonymous namespace)::ExecuteWrapper::LinkStubExecuteActionHdl(void*, Timer*) at vcl/source/uitest/uno/uiobject_uno.cxx:98:1
>  #10 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:111:45
>  #11 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21
>  #12 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:481:20
>  #13 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13
>  #14 in SvpSalInstance::CheckTimeout(bool) at vcl/headless/svpinst.cxx:161:53
>  #15 in SvpSalInstance::ImplYield(bool, bool) at vcl/headless/svpinst.cxx:399:17
>  #16 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:471:21
>  #17 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:475:48
>  #18 in Application::Yield() at vcl/source/app/svapp.cxx:559:5
>  #19 in Application::Execute() at vcl/source/app/svapp.cxx:453:13
>  #20 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13
>  #21 in ImplSVMain() at vcl/source/app/svmain.cxx:203:35
>  #22 in SVMain() at vcl/source/app/svmain.cxx:235:12
>  #23 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
>  #24 in sal_main at desktop/source/app/main.c:51:15
>  #25 in main at desktop/source/app/main.c:49:1
> 
> 0x60f000248c28 is located 152 bytes inside of 168-byte region [0x60f000248b90,0x60f000248c38)
> freed by thread T0 here:
>  #0 in operator delete(void*, unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:164:3
>  #1 in SvTreeListEntry::~SvTreeListEntry() at vcl/source/treelist/treelistentry.cxx:61:1
>  #2 in std::default_delete<SvTreeListEntry>::operator()(SvTreeListEntry*) const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/unique_ptr.h:102:2
>  #3 in std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>::~unique_ptr() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/unique_ptr.h:407:4
>  #4 in void std::destroy_at<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>(std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:88:15
>  #5 in void std::_Destroy<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>(std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:149:7
>  #6 in void std::_Destroy_aux<false>::__destroy<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*>(std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:163:6
>  #7 in void std::_Destroy<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*>(std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:195:7
>  #8 in void std::_Destroy<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>(std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*, std::allocator<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/alloc_traits.h:947:7
>  #9 in std::__cxx1998::vector<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>, std::allocator<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>>::_M_erase_at_end(std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_vector.h:1932:6
>  #10 in std::__cxx1998::vector<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>, std::allocator<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>>::clear() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_vector.h:1601:9
>  #11 in std::__debug::vector<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>, std::allocator<std::unique_ptr<SvTreeListEntry, std::default_delete<SvTreeListEntry>>>>::clear() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/debug/vector:729:9
>  #12 in SvTreeListEntry::ClearChildren() at vcl/source/treelist/treelistentry.cxx:28:16
>  #13 in SvTreeList::Clear() at vcl/source/treelist/treelist.cxx:123:16
>  #14 in SvTreeListBox::Clear() at vcl/source/treelist/treelistbox.cxx:420:17
>  #15 in SalInstanceTreeView::clear() at vcl/source/app/salvtables.cxx:4240:18
>  #16 in SwContentTree::clear() at sw/source/uibase/utlui/content.cxx:2661:18
>  #17 in SwContentTree::Display(bool) at sw/source/uibase/utlui/content.cxx:2506:5
>  #18 in SwContentTree::TimerUpdate(Timer*) at sw/source/uibase/utlui/content.cxx:3777:17
>  #19 in SwContentTree::LinkStubTimerUpdate(void*, Timer*) at sw/source/uibase/utlui/content.cxx:3747:1
>  #20 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:111:45
>  #21 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21
>  #22 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:481:20
>  #23 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13
>  #24 in SvpSalInstance::CheckTimeout(bool) at vcl/headless/svpinst.cxx:161:53
>  #25 in SvpSalInstance::ImplYield(bool, bool) at vcl/headless/svpinst.cxx:399:17
>  #26 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:471:21
>  #27 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:475:48
>  #28 in Application::Yield() at vcl/source/app/svapp.cxx:559:5
>  #29 in Application::Execute() at vcl/source/app/svapp.cxx:453:13
>  #30 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13
>  #31 in ImplSVMain() at vcl/source/app/svmain.cxx:203:35
>  #32 in SVMain() at vcl/source/app/svmain.cxx:235:12
>  #33 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
>  #34 in sal_main at desktop/source/app/main.c:51:15
>  #35 in main at desktop/source/app/main.c:49:1
> 
> previously allocated by thread T0 here:
>  #0 in operator new(unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
>  #1 in SalInstanceTreeView::do_insert(weld::TreeIter const*, int, rtl::OUString const*, rtl::OUString const*, rtl::OUString const*, VirtualDevice const*, bool, weld::TreeIter*, bool) at vcl/source/app/salvtables.cxx:3780:31
>  #2 in SalInstanceTreeView::insert(weld::TreeIter const*, int, rtl::OUString const*, rtl::OUString const*, rtl::OUString const*, VirtualDevice*, bool, weld::TreeIter*) at vcl/source/app/salvtables.cxx:4123:5
>  #3 in virtual thunk to SalInstanceTreeView::insert(weld::TreeIter const*, int, rtl::OUString const*, rtl::OUString const*, rtl::OUString const*, VirtualDevice*, bool, weld::TreeIter*) at vcl/source/app/salvtables.cxx
>  #4 in SwContentTree::insert(weld::TreeIter const*, rtl::OUString const&, rtl::OUString const&, bool, weld::TreeIter*) at sw/source/uibase/utlui/content.cxx:2097:18
>  #5 in SwContentTree::Display(bool) at sw/source/uibase/utlui/content.cxx:2555:17
>  #6 in SwContentTree::ExecCommand(std::basic_string_view<char, std::char_traits<char>>, bool) at sw/source/uibase/utlui/content.cxx:3530:9
>  #7 in SwNavigationPI::ToolBoxSelectHdl(rtl::OString const&) at sw/source/uibase/utlui/navipi.cxx:300:29
>  #8 in SwNavigationPI::LinkStubToolBoxSelectHdl(void*, rtl::OString const&) at sw/source/uibase/utlui/navipi.cxx:194:1
>  #9 in Link<rtl::OString const&, void>::Call(rtl::OString const&) const at include/tools/link.hxx:111:45
>  #10 in weld::Toolbar::signal_clicked(rtl::OString const&) at include/vcl/weld.hxx:2452:62
>  #11 in SalInstanceToolbar::ClickHdl(ToolBox*) at vcl/source/app/salvtables.cxx:1246:5
>  #12 in SalInstanceToolbar::LinkStubClickHdl(void*, ToolBox*) at vcl/source/app/salvtables.cxx:1243:1
>  #13 in Link<ToolBox*, void>::Call(ToolBox*) const at include/tools/link.hxx:111:45
>  #14 in ToolBox::Select() at vcl/source/window/toolbox2.cxx:373:17
>  #15 in ToolBoxUIObject::execute(rtl::OUString const&, std::__debug::map<rtl::OUString, rtl::OUString, std::less<rtl::OUString>, std::allocator<std::pair<rtl::OUString const, rtl::OUString>>> const&) at vcl/source/uitest/uiobject.cxx:1673:24
>  #16 in UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0::operator()() const at vcl/source/uitest/uno/uiobject_uno.cxx:138:16
>  #17 in void std::__invoke_impl<void, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&>(std::__invoke_other, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:61:14
>  #18 in std::enable_if<is_invocable_r_v<void, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&>, void>::type std::__invoke_r<void, UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&>(UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:111:2
>  #19 in std::_Function_handler<void (), UIObjectUnoObj::executeAction(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_0>::_M_invoke(std::_Any_data const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:290:9
>  #20 in std::function<void ()>::operator()() const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:591:9
>  #21 in (anonymous namespace)::ExecuteWrapper::ExecuteActionHdl(Timer*) at vcl/source/uitest/uno/uiobject_uno.cxx:103:13
>  #22 in (anonymous namespace)::ExecuteWrapper::LinkStubExecuteActionHdl(void*, Timer*) at vcl/source/uitest/uno/uiobject_uno.cxx:98:1
>  #23 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:111:45
>  #24 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21
>  #25 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:481:20
>  #26 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13
>  #27 in SvpSalInstance::CheckTimeout(bool) at vcl/headless/svpinst.cxx:161:53
>  #28 in SvpSalInstance::ImplYield(bool, bool) at vcl/headless/svpinst.cxx:399:17
>  #29 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:471:21
>  #30 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:475:48
>  #31 in Application::Yield() at vcl/source/app/svapp.cxx:559:5
>  #32 in Application::Execute() at vcl/source/app/svapp.cxx:453:13
>  #33 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13
>  #34 in ImplSVMain() at vcl/source/app/svmain.cxx:203:35
>  #35 in SVMain() at vcl/source/app/svmain.cxx:235:12
>  #36 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
>  #37 in sal_main at desktop/source/app/main.c:51:15
>  #38 in main at desktop/source/app/main.c:49:1
> 
> SUMMARY: AddressSanitizer: heap-use-after-free vcl/source/treelist/treelistentry.cxx:201:30 in SvTreeListEntry::HasChildrenOnDemand() const
> Shadow bytes around the buggy address:
>   0x60f000248980: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
>   0x60f000248a00: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
>   0x60f000248a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
>   0x60f000248b00: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
>   0x60f000248b80: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x60f000248c00: fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
>   0x60f000248c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x60f000248d00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
>   0x60f000248d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x60f000248e00: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
>   0x60f000248e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==3401690==ABORTING
Comment 1 Jim Raykowski 2023-02-11 02:20:26 UTC 
It seems this might need the same hack after the 'executeAction("CLICK",...' as is done in commit 9a23ded27470a4c57015e9e5d686259a60d464f2
Comment 2 Commit Notification 2023-02-15 09:09:51 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/b4c8775526d701cfe0230ca34bfbbb9be00a71e7

tdf#153519 Another TreeListEntryUIObject heap-use-after-free

It will be available in 7.6.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 3 Commit Notification 2023-10-21 06:55:19 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/00286e56d17090ffdf0abd76ba3c236126f8c116

tdf#153519 Another TreeListEntryUIObject heap-use-after-free

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 4 Commit Notification 2023-10-23 13:45:19 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/fcae1c4fdf75d6a62cdbfbca5deb07e78de591f5

tdf#153519 Another TreeListEntryUIObject heap-use-after-free

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 5 Commit Notification 2023-10-24 09:14:28 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/9d5e8d5f5bc422178d6fca928e749ba3bb3d159e

tdf#153519 Another TreeListEntryUIObject heap-use-after-free

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2023-10-24 16:23:17 UTC 
Noel Grandin committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/4edff633dd36ea47d17a993e0afb30fcfc4f9a61

tdf#153519 make TreeListEntryUIObject safer

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 7 Commit Notification 2023-10-25 10:49:24 UTC 
Noel Grandin committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/dd0190eee2b7415b91932f28cc87f481389e551e

tdf#153519 make TreeListEntryUIObject safer

It will be available in 7.6.3.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Commit Notification 2023-10-26 14:11:05 UTC 
Noel Grandin committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/0446f73d27a0c43de1a2d5e07c9510a287be6af2

tdf#153519 use new IdleTask::waitUntilIdleDispatched

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.