From 5816109430eb4b71652de09cfdc2df2bc5c44655 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Sat, 26 Dec 2020 22:16:39 -0800 Subject: [PATCH] psppire-window: Fix use-after-free error in read_spv_file(). spv_item_get_table() returns a borrowed reference, but read_spv_file() treated it as if it owned it. This fixes the problem. This fixes crashes opening .spv files in PSPPIRE with File|Open. Also, change spv_item_get_table() to return a const pointer, to make it clearer that the reference is a borrowed one. --- src/output/spv/spv.c | 7 +++++-- src/output/spv/spv.h | 2 +- src/ui/gui/psppire-window.c | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/output/spv/spv.c b/src/output/spv/spv.c index cbdf10fcdf..29c26c275b 100644 --- a/src/output/spv/spv.c +++ b/src/output/spv/spv.c @@ -849,7 +849,7 @@ pivot_table_open_legacy (struct spv_item *item) return error; } -struct pivot_table * +const struct pivot_table * spv_item_get_table (const struct spv_item *item_) { struct spv_item *item = CONST_CAST (struct spv_item *, item_); @@ -1196,7 +1196,10 @@ spv_item_set_table_look (struct spv_item *item, (We can't just set item->table_look because light tables ignore it and legacy tables sometimes override it.) */ if (spv_item_is_table (item)) - pivot_table_set_look (spv_item_get_table (item), look); + { + spv_item_load (item); + pivot_table_set_look (item->table, look); + } for (size_t i = 0; i < item->n_children; i++) spv_item_set_table_look (item->children[i], look); diff --git a/src/output/spv/spv.h b/src/output/spv/spv.h index 21d19a6615..6857d9b3b6 100644 --- a/src/output/spv/spv.h +++ b/src/output/spv/spv.h @@ -157,7 +157,7 @@ size_t spv_item_get_n_children (const struct spv_item *); struct spv_item *spv_item_get_child (const struct spv_item *, size_t idx); bool spv_item_is_table (const struct spv_item *); -struct pivot_table *spv_item_get_table (const struct spv_item *); +const struct pivot_table *spv_item_get_table (const struct spv_item *); bool spv_item_is_text (const struct spv_item *); const struct pivot_value *spv_item_get_text (const struct spv_item *); diff --git a/src/ui/gui/psppire-window.c b/src/ui/gui/psppire-window.c index 15f8503de2..99da30fa3e 100644 --- a/src/ui/gui/psppire-window.c +++ b/src/ui/gui/psppire-window.c @@ -796,7 +796,7 @@ read_spv_file (const char *filename) if (items[i]->type == SPV_ITEM_TEXT) spv_text_submit (items[i]); else if (items[i]->type == SPV_ITEM_TABLE) - pivot_table_submit (spv_item_get_table (items[i])); + pivot_table_submit (pivot_table_ref (spv_item_get_table (items[i]))); prev_heading = heading; } dump_heading_transition (prev_heading, spv_get_root (spv)); -- 2.30.2