| Summary: | Crash in EnhancedCustomShapeTypeNames::Get | ||
|---|---|---|---|
| Product: | LibreOffice | Reporter: | nicolas.gregoire |
| Component: | LibreOffice | Assignee: | Caolán McNamara <caolan.mcnamara> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | markus.mohrhard, serval2412 |
| Priority: | medium | Keywords: | haveBacktrace |
| Version: | 4.3.0.0.beta1 | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | Asan target:4.4.0 target:4.2.7 target:4.3.3 | ||
| Crash report or crash signature: | Regression By: | ||
| Attachments: |
Repro file
Original file bt with symbols |
||
Created attachment 99651 [details]
Original file
Created attachment 99724 [details]
bt with symbols
On pc Debian x86-64 with master sources updated yesterday, I could reproduce this.
Markus: trying to unwind this bug, I started from bt, more specifically this part:
#4 0x00002aaacce8938f in SvxCustomShape::createCustomShapeDefaults (this=0x89e8a20, rValueType="-1")
at /home/julien/compile-libreoffice/libreoffice/svx/source/unodraw/unoshap2.cxx:1979
#5 0x00002aaadc041352 in oox::vml::CustomShape::implConvertAndInsert (this=0x8a11c10, rxShapes=uno::Reference to (SwXDrawPage *) 0x89a9d20, rShapeRect=...)
at /home/julien/compile-libreoffice/libreoffice/oox/source/vml/vmlshape.cxx:957
I tried to understand why rValueType was equal to -1
so started here:
957 xDefaulter->createCustomShapeDefaults( OUString::number( getShapeType() ) );
still in vmlshape.cxx
146 sal_Int32 ShapeType::getShapeType() const
147 {
148 return maTypeModel.moShapeType.get( 0 );
149 }
A search in Opengrok seems to indicate moShapeType is initialized in oox/source/vml/vmlshapecontext.cxx:
288 mrTypeModel.moShapeType = rAttribs.getInteger( O_TOKEN( spt ) );
see http://opengrok.libreoffice.org/xref/core/oox/source/vml/vmlshapecontext.cxx#288
The problem is there's no control of the spt value
I tried this:
- change type of moShapeType from OptValue< sal_Int32 > to OptValue< sal_uInt32 > (include/oox/vml/vmlshape.hxx)
- use this:
mrTypeModel.moShapeType = rAttribs.getUnsigned( O_TOKEN( spt ) );
instead of this:
mrTypeModel.moShapeType = rAttribs.getInteger( O_TOKEN( spt ) );
The file can be opened without crash but -1 is converted to 152
Any idea?
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=65277f994ae25d930c15aebba0ed19f8de0abba1 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a2dda857b3d163a42c243566eaef9bc97e933779&h=libreoffice-4-2 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get It will be available in LibreOffice 4.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3c8eb2fe90622afce3ee935000f8f549b5d0efa7&h=libreoffice-4-3 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get It will be available in LibreOffice 4.3.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. |
Created attachment 99650 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: Program received signal SIGSEGV, Segmentation fault. 0x00007fffbfe7e6b3 in EnhancedCustomShapeTypeNames::Get (eShapeType=<optimized out>) at /home/moggi/devel/libo7/svx/source/customshapes/EnhancedCustomShapeTypeNames.cxx:304 rax 0x800fc32eda90 140805187492496 rbx 0xf204f2f2f200f201 -1007413291367992831 rcx 0x7ffffffe0820 140737488226336 rdx 0xffffffff 4294967295 rsi 0x1001f865db52 17600648436562 rdi 0x7ffffffe0820 140737488226336 rbp 0x7ffffffe0870 0x7ffffffe0870 rsp 0x7ffffffe07a0 0x7ffffffe07a0 0x00007fffbfe7e6af <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+447>: shr $0x3,%rsi => 0x00007fffbfe7e6b3 <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+451>: cmpb $0x0,0x7fff8000(%rsi) 0x00007fffbfe7e6ba <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+458>: mov %rax,0x10(%rsp) Original OO file: WordArt_samples.docx Mutated OO file (repro file): crash-30909.docx Modified XML file: word/document.xml Modifications: - in tag "w:pStyle", attribute "w:val" was switched from "Heading1" to "Abc123" - in tag "v:shapetype", attribute "coordsize" was switched from "21600,21600" to "Abc123" in tag "v:shapetype", attribute "o:spt" was switched from "136" to "-1"