commit 7cbd6d768d282077053c354254315f3dc89bf254
author Michael Stahl <michael.stahl@allotropia.de> Wed Jun 30 13:26:59 2021 +0200
committer Michael Stahl <michael.stahl@allotropia.de> Wed Jun 30 18:40:27 2021 +0200
tree 4597c9027fa53e63dd6418adc98241bd1c2601f6
parent 738f7a8cb971a884f74766da0cbf7e59ef8b90e7

sfx2: try to fix lifecycle of SfxOfficeDispatch

This can be created either from the global SfxApplication, or from a
SfxViewFrame.

Particularly in the latter case, the SfxDispatcher and SfxBindings
members are owned by SfxViewFrame, so in case that is destroyed, the
SfxOfficeDispatch must clear its pointers.

It looks like the member pointers are checked before access already
everywhere, so just listen at the SfxViewFrame.

Change-Id: If08825734e94dd54e32cb77546684fd583c336ec
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118162
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

framework/qa/cppunit/data/empty.fodp

diff --git a/framework/qa/cppunit/data/empty.fodp b/framework/qa/cppunit/data/empty.fodp
new file mode 100644
index 0000000..3c2a4cf
--- /dev/null
+++ b/framework/qa/cppunit/data/empty.fodp
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.presentation"><office:body><office:presentation><draw:page/></office:presentation></office:body></office:document>

framework/qa/cppunit/dispatchtest.cxx

diff --git a/framework/qa/cppunit/dispatchtest.cxx b/framework/qa/cppunit/dispatchtest.cxx
index 586c4af..2f21a71 100644
--- a/framework/qa/cppunit/dispatchtest.cxx
+++ b/framework/qa/cppunit/dispatchtest.cxx
@@ -15,6 +15,7 @@
#include <com/sun/star/frame/DispatchHelper.hpp>
#include <com/sun/star/frame/XDispatchProviderInterceptor.hpp>
#include <com/sun/star/frame/XInterceptorInfo.hpp>
#include <com/sun/star/util/URLTransformer.hpp>

#include <comphelper/processfactory.hxx>
#include <rtl/ref.hxx>
@@ -199,6 +200,37 @@ CPPUNIT_TEST_FIXTURE(DispatchTest, testInterception)
    // This was 1: MyInterceptor::queryDispatch() was called for .uno:Italic.
    CPPUNIT_ASSERT_EQUAL(0, pInterceptor->getUnexpected());
}

constexpr OUStringLiteral DATA_DIRECTORY = u"/framework/qa/cppunit/data/";

CPPUNIT_TEST_FIXTURE(DispatchTest, testSfxOfficeDispatchDispose)
{
    // this test doesn't work with a new document because of aURL.Main check in SfxBaseController::dispatch()
    mxComponent = loadFromDesktop(m_directories.getURLFromSrc(DATA_DIRECTORY) + "empty.fodp",
                                  "com.sun.star.presentation.PresentationDocument");
    uno::Reference<frame::XModel> xModel(mxComponent, uno::UNO_QUERY);
    CPPUNIT_ASSERT(xModel.is());
    uno::Reference<frame::XController> xController(xModel->getCurrentController());
    CPPUNIT_ASSERT(xController.is());
    uno::Reference<frame::XDispatchProvider> xFrame(xController->getFrame(), uno::UNO_QUERY);
    CPPUNIT_ASSERT(xFrame.is());

    uno::Reference<util::XURLTransformer> xParser(util::URLTransformer::create(mxComponentContext));
    util::URL url;
    url.Complete = xModel->getURL() + "#dummy";
    xParser->parseStrict(url);

    uno::Reference<frame::XDispatch> xDisp(xFrame->queryDispatch(url, "", 0));
    CPPUNIT_ASSERT(xDisp.is());

    mxComponent->dispose();

    util::URL urlSlot;
    urlSlot.Complete = "slot:5598";
    xParser->parseStrict(urlSlot);
    // crashed with UAF
    xDisp->dispatch(urlSlot, {});
}
}

CPPUNIT_PLUGIN_IMPLEMENT();

sfx2/inc/unoctitm.hxx

diff --git a/sfx2/inc/unoctitm.hxx b/sfx2/inc/unoctitm.hxx
index 805ff22..9e6bc19 100644
--- a/sfx2/inc/unoctitm.hxx
+++ b/sfx2/inc/unoctitm.hxx
@@ -25,6 +25,7 @@
#include <cppuhelper/interfacecontainer.hxx>
#include <cppuhelper/weakref.hxx>

#include <svl/lstner.hxx>
#include <sfx2/ctrlitem.hxx>
#include <osl/mutex.hxx>

@@ -101,7 +102,9 @@ public:
    SfxDispatcher*          GetDispatcher_Impl();
};

class SfxDispatchController_Impl final : public SfxControllerItem
class SfxDispatchController_Impl final
    : public SfxControllerItem
    , public SfxListener
{
    css::util::URL              aDispatchURL;
    SfxDispatcher*              pDispatcher;
@@ -126,6 +129,8 @@ public:
                                                    const css::util::URL& rURL );
                        virtual ~SfxDispatchController_Impl() override;

    virtual void Notify(SfxBroadcaster& rBC, const SfxHint& rHint) override;

    static OUString getSlaveCommand( const css::util::URL& rURL );

    void                StateChanged( sal_uInt16 nSID, SfxItemState eState, const SfxPoolItem* pState, SfxSlotServer const * pServ );

sfx2/source/control/unoctitm.cxx

diff --git a/sfx2/source/control/unoctitm.cxx b/sfx2/source/control/unoctitm.cxx
index 5003433..58bdc61 100644
--- a/sfx2/source/control/unoctitm.cxx
+++ b/sfx2/source/control/unoctitm.cxx
@@ -323,6 +323,27 @@ SfxDispatchController_Impl::SfxDispatchController_Impl(
        BindInternal_Impl( nSlot, pBindings );
        pBindings->LEAVEREGISTRATIONS();
    }
    assert(pDispatcher);
    assert(SfxApplication::Get()->GetAppDispatcher_Impl() == pDispatcher
        || pDispatcher->GetFrame() != nullptr);
    if (pDispatcher->GetFrame())
    {
        StartListening(*pDispatcher->GetFrame());
    }
    else
    {
        StartListening(*SfxApplication::Get());
    }
}

void SfxDispatchController_Impl::Notify(SfxBroadcaster& rBC, SfxHint const& rHint)
{
    if (rHint.GetId() == SfxHintId::Dying)
    {   // both pBindings and pDispatcher are dead if SfxViewFrame is dead
        pBindings = nullptr;
        pDispatcher = nullptr;
        EndListening(rBC);
    }
}

SfxDispatchController_Impl::~SfxDispatchController_Impl()