Fix crash on gradient markers (!4962) · Merge requests · Inkscape / inkscape

This commit fixes crash on markers with gradient or mesh fill. See #4006 (closed) for description.

After SPDocument::install_reference_document scoped(_sandbox.get(), source); instance is created any getObjectById() call extends to the source document.

As pointed by @nathanal, the 30d888ec commit moved the install_reference_document line upper.

_sandbox is the template document for markers to be rendered in the "Fill and Stroke" combos. It's created once for every MarkerComboBox instance, so it is reused for every marker to be rendered. Thus, to render another marker, old one's definitions should be deleted from the template. This is done by, e.g.

SPObject *oldmarker = _sandbox->getObjectById(linkObj->getId());
if (oldmarker) {
    oldmarker->deleteObject(false);
}

where linkObj is an object from source. So, due to getObjectById() extends to source the object is being deleted from source document and not from the _sandbox. And any subsequent reference to a linkObj's field leads to null-dereference and to the crash.

Moving the install_reference_document line lower, to where it was before the commit, fixes the issue.

Fix crash on gradient markers

Merge request reports