apparent use-after-free of ScLOKProxyObjectContact::mpScDrawView

 #0  std::vector<std::unique_ptr<SdrPageWindow, std::default_delete<SdrPageWindow> >, std::allocator<std::unique_ptr<SdrPageWindow, std::default_delete<SdrPageWindow> > > >::size (this=<optimized out>) at /opt/rh/devtoolset-12/root/usr/include/c++/12/bits/stl_vector.h:987
 #1  SdrPageView::PageWindowCount (this=<optimized out>) at include/svx/svdpagv.hxx:89
 #2  (anonymous namespace)::ScLOKProxyObjectContact::calculateGridOffsetForViewObjectContact (this=<optimized out>, rTarget=..., rClient=...)
     at sc/source/ui/view/gridwin4.cxx:1467
 #3  0x00007fe8eae62e05 in sdr::contact::ViewObjectContact::getGridOffset (this=this@entry=0x364bdc60)
     at include/svx/sdr/contact/viewobjectcontact.hxx:95
 #4  0x00007fe8eae642fe in sdr::contact::ViewObjectContact::getPrimitive2DSequence (this=this@entry=0x364bdc60, rDisplayInfo=...)
     at svx/source/sdr/contact/viewobjectcontact.cxx:487
 #5  0x00007fe8eae645b1 in sdr::contact::ViewObjectContact::getObjectRange (this=this@entry=0x364bdc60)
     at svx/source/sdr/contact/viewobjectcontact.cxx:209
 #6  0x00007fe8eae64832 in sdr::contact::ViewObjectContact::triggerLazyInvalidate (this=0x364bdc60)
     at svx/source/sdr/contact/viewobjectcontact.cxx:273
 #7  0x00007fe8eae65415 in sdr::contact::ObjectContactOfPageView::Invoke (this=0x7fe8a8103ff0)
     at svx/source/sdr/contact/objectcontactofpageview.cxx:105
 #8  0x00007fe8ebb2b30b in Scheduler::CallbackTaskScheduling () at vcl/source/app/scheduler.cxx:579
 #9  0x00007fe8ebceb21b in SvpSalInstance::StartTimer (nMS=<optimized out>, this=0x2e01000000000000)

Change-Id: Icb71083eb77e528d9025aa7a591892dcdfc2ba89
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185019
Reviewed-by: Miklos Vajna <[email protected]>
Tested-by: Jenkins CollaboraOffice <[email protected]>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185026

Author: caolanm

sc/source/ui/view/gridwin4.cxx

@@ -32,6 +32,7 @@
 #include <vcl/settings.hxx>
 #include <o3tl/unit_conversion.hxx>
 #include <osl/diagnose.h>
+#include <tools/weakbase.hxx>
 
 #include <LibreOfficeKit/LibreOfficeKitEnums.h>
 #include <comphelper/lok.hxx>
@@ -1406,15 +1407,15 @@ namespace
     class ScLOKProxyObjectContact final : public sdr::contact::ObjectContactOfPageView
     {
     private:
-        ScDrawView* mpScDrawView;
+        tools::WeakReference<ScDrawView> m_xScDrawView;
 
     public:
         explicit ScLOKProxyObjectContact(
             ScDrawView* pDrawView,
             SdrPageWindow& rPageWindow,
             const char* pDebugName) :
             ObjectContactOfPageView(rPageWindow, pDebugName),
-            mpScDrawView(pDrawView)
+            m_xScDrawView(pDrawView)
         {
         }
 
@@ -1424,10 +1425,11 @@ namespace
             basegfx::B2DVector& rTarget,
             const sdr::contact::ViewObjectContact& rClient) const override
         {
-            if (!mpScDrawView)
+            ScDrawView* pScDrawView = m_xScDrawView.get();
+            if (!pScDrawView)
                 return;
 
-            SdrPageView* pPageView(mpScDrawView->GetSdrPageView());
+            SdrPageView* pPageView(pScDrawView->GetSdrPageView());
             if (!pPageView)
                 return;