Created attachment 126934 [details] Test file one field from database Bibliography Steps to reproduce: 1. Create a doc with a field "Type" from database Bibliography. See attached file 2. Right click on field > Fields 3. Modify format: User-defined > Additional formats 4. Remove format code and type [$ Actual behavior: Crash with message .../include/rtl/ustrbuf.hxx:370: sal_Unicode& rtl::OUStringBuffer::operator[](sal_Int32): Assertion `index >= 0 && index < pData->length' failed. Reproduced with - Version: 5.3.0.0.alpha0+ Build ID: 327f5cc66f122979943d2c896eb1824791a854c9 CPU Threads: 4; OS Version: Linux 3.16; UI Render: default; TinderBox: Linux-rpm_deb-x86_64@70-TDF-dbg, Branch:master, Time: 2016-08-18_00:07:02 Locale: fr-FR (fr_FR.UTF-8); Calc: group NOT reproduce with - Version: 5.3.0.0.alpha0+ Build ID: 989e8bc0d792f0dc5778746fac45de129a22d7ac CPU Threads: 4; OS Version: Linux 3.16; UI Render: default; TinderBox: Linux-rpm_deb-x86_64@70-TDF, Branch:master, Time: 2016-08-16_01:29:43 Locale: fr-FR (fr_FR.UTF-8); Calc: group
Pb here: svl/source/numbers/zformat.cxx:1414 case '$' : if ( rString[nPos] == '-' ) nPos == 2 is >= nLength We should not test rString[nPos] without testing nPos. I don't understand what was changed recently which makes this happen. By the way, simple steps: 1. New Calc doc, Format > Cells > Numbers 2. Remove format code and type [$
Created attachment 126942 [details] bt with symbols On pc Debian x86-64 with master sources updated today, I could reproduce this. I attached a bt.
With LO Debian package 5.2.0.2, I don't reproduce this => regression.
This crash is reproducible only with dbg builds Confirmed with - Version: 5.3.0.0.alpha0+ Build ID: dde4e9a95479850bfc968fe712fe9e7ea7ef324e CPU Threads: 4; OS Version: Linux 3.16; UI Render: default; TinderBox: Linux-rpm_deb-x86_64@70-TDF-dbg, Branch:master, Time: 2016-08-07_04:38:14 Locale: fr-FR (fr_FR.UTF-8); Calc: group - Version: 5.3.0.0.alpha0+ Build ID: 989e8bc0d792f0dc5778746fac45de129a22d7ac CPU Threads: 4; OS Version: Linux 3.16; UI Render: default; TinderBox: Linux-rpm_deb-x86_64@70-TDF-dbg, Branch:master, Time: 2016-08-16_02:21:43 Locale: fr-FR (fr_FR.UTF-8); Calc: group The later is the same build as in comment 0 where I did NOT reproduce the crash, but with dbg
dbgutil builds have some internal string access checks that assert on out-of-bounds access. The "crash" likely is there since the change from class String to OUString, as String[length] returned the terminating 0 character, OUString does the same in a non-dbgutil build, but as the terminating 0 character is not part of the string (and actually not guaranteed to be there) the dbgutil build checks the actual length.
Laurent Balland-Poirier committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=734eb8b034c8035565d091aa016ce3b8df838b19 tdf#101636 Test index before reading OUString It will be available in 5.3.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Btw, for such dbgutil off-by-one assert/crash occurrences you don't need to file a bug, just fix it and decide whether it should go into another branch as well.