In the codebase there are currently some examples of code like this:
gchar* aItemCommandStr = (gchar*) OUStringToOString( aItemCommand, RTL_TEXTENCODING_UTF8 ).getStr();
This fails as a pattern, because the destructor of the anonymous temporary OString is called at the end of this expression, before the gchar* that is returned can be used.
(the destructor is only called at the very end of the expression, so in this case it would suffice to wrap with a g_strdup() on the same line, or alternatively to split the expression into two with a named OString)
See bug 69090 for one example of this that resulted in a visible bug.
There may be other related issues of a similar nature. A clang plugin would potentially be a good way to guard against these.
A git grep to find instances to verify looks like:
git grep -P "\(\w+\s*\*\)\s*\(\w+\s*\*\)"
And there are approx. 101 places to check
Oops, copied wrong thing - this is the correct search pattern
git grep -iP "OUStringToOString.*getStr\("
and there are 952 locations to check.
But most of them can be eliminated with a second grep pass because they are calling the logging methods.
Created attachment 106553 [details]
Although not a substitute for a clang plugin, a visual grep of the likely candidates revealed the attached
- including one comment on the basis that it's not nice to leave unexploded ordnance hanging around
- including several defines where a further search showed probable unsafe uses thereof (not listed separately)
Matthew J. Francis committed a patch related to this issue.
It has been pushed to "master":
fdo#84086 Fix assorted use-after-free bugs
The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
Affected users are encouraged to test the fix and report feedback.
** Please read this message in its entirety before responding **
To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.
There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.
If you have time, please do the following:
Test to see if the bug is still present on a currently supported version of LibreOffice (5.0.1 or preferably 126.96.36.199 or later)
If the bug is present, please leave a comment that includes the version of LibreOffice and your operating system, and any changes you see in the bug behavior
If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a short comment that includes your version of LibreOffice and Operating System
Please DO NOT
Update the version field
Reply via email (please reply directly on the bug tracker)
Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case)
If you want to do more to help you can test to see if your issue is a REGRESSION. To do so:
1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3)
2. Test your bug
3. Leave a comment with your results.
4a. If the bug was present with 3.3 - set version to "inherited from OOo";
4b. If the bug was not present in 3.3 - add "regression" to keyword
Feel free to come ask questions or to say hello in our QA chat: http://webchat.freenode.net/?channels=libreoffice-qa
Thank you for your help!
-- The LibreOffice QA Team This NEW Message was generated on: 2015-10-14
Is this bug fixed?
If so, could you please close it as RESOLVED FIXED?