| Summary: | dbgutil build: Crash when creating number format code "[$..." | ||
|---|---|---|---|
| Product: | LibreOffice | Reporter: | Laurent Balland <jumbo4444> |
| Component: | Calc | Assignee: | Laurent Balland <jumbo4444> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | serval2412 |
| Priority: | medium | Keywords: | haveBacktrace, regression |
| Version: | 5.2.0.0.alpha0+ | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | target:5.3.0 target:5.2.2 | ||
| Crash report or crash signature: | Regression By: | ||
| Attachments: |
Test file one field from database Bibliography
bt with symbols |
||
|
Description
Laurent Balland
2016-08-21 15:26:03 UTC
Pb here:
svl/source/numbers/zformat.cxx:1414
case '$' :
if ( rString[nPos] == '-' )
nPos == 2 is >= nLength
We should not test rString[nPos] without testing nPos.
I don't understand what was changed recently which makes this happen.
By the way, simple steps:
1. New Calc doc, Format > Cells > Numbers
2. Remove format code and type
[$
Created attachment 126942 [details]
bt with symbols
On pc Debian x86-64 with master sources updated today, I could reproduce this.
I attached a bt.
With LO Debian package 5.2.0.2, I don't reproduce this => regression. This crash is reproducible only with dbg builds Confirmed with - Version: 5.3.0.0.alpha0+ Build ID: dde4e9a95479850bfc968fe712fe9e7ea7ef324e CPU Threads: 4; OS Version: Linux 3.16; UI Render: default; TinderBox: Linux-rpm_deb-x86_64@70-TDF-dbg, Branch:master, Time: 2016-08-07_04:38:14 Locale: fr-FR (fr_FR.UTF-8); Calc: group - Version: 5.3.0.0.alpha0+ Build ID: 989e8bc0d792f0dc5778746fac45de129a22d7ac CPU Threads: 4; OS Version: Linux 3.16; UI Render: default; TinderBox: Linux-rpm_deb-x86_64@70-TDF-dbg, Branch:master, Time: 2016-08-16_02:21:43 Locale: fr-FR (fr_FR.UTF-8); Calc: group The later is the same build as in comment 0 where I did NOT reproduce the crash, but with dbg dbgutil builds have some internal string access checks that assert on out-of-bounds access. The "crash" likely is there since the change from class String to OUString, as String[length] returned the terminating 0 character, OUString does the same in a non-dbgutil build, but as the terminating 0 character is not part of the string (and actually not guaranteed to be there) the dbgutil build checks the actual length. Laurent Balland-Poirier committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=734eb8b034c8035565d091aa016ce3b8df838b19 tdf#101636 Test index before reading OUString It will be available in 5.3.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Btw, for such dbgutil off-by-one assert/crash occurrences you don't need to file a bug, just fix it and decide whether it should go into another branch as well. |