103063 – FILEOPEN: DOCX - Crash on import file

Bug 103063 - FILEOPEN: DOCX - Crash on import file

Summary: FILEOPEN: DOCX - Crash on import file

Status:	VERIFIED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	filters and storage (show other bugs)
Version: (earliest affected)	Inherited From OOo
Hardware:	All All

Importance:	highest critical
Assignee:	Not Assigned

URL:
Whiteboard:	target:5.4.0
Keywords:	filter:docx, haveBacktrace

Depends on:
Blocks:	Footnote-Endnote DOCX-Opening
	Show dependency tree / graph

Reported:	2016-10-09 13:39 UTC by Lennart Poettering
Modified:	2017-07-27 21:32 UTC (History)
CC List:	6 users (show)

See Also:	104162
Crash report or crash signature:	["writerfilter::dmapper::DomainMapper_Impl::finishParagraph(std::shared_ptr<writerfilter::dmapper::PropertyMap> const &)"]

Attachments
offending .docx file (1.32 MB, application/vnd.openxmlformats-officedocument.wordprocessingml.document) 2016-10-09 13:39 UTC, Lennart Poettering	Details
gdbtrace.log as attachment, without additional line breaks (32.60 KB, text/plain) 2016-10-09 13:41 UTC, Lennart Poettering	Details
sample docx without footnotes (1.30 MB, application/wps-office.docx) 2016-10-09 21:49 UTC, Yousuf Philips (jay) (retired)	Details
console bt logs (27.02 KB, text/plain) 2016-10-10 20:00 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lennart Poettering 2016-10-09 13:39:39 UTC

Created attachment 127891 [details]
offending .docx file

Attached you find a .docx file that makes at least libreoffice-5.0.4.2-3.fc23.x86_64 and libreoffice-5.1.5.2-9.fc24.x86_64 crash on import.

On import it says: "Due to an unexpected error, LibreOffice crashed…" and so on, without further details on the precise error.

When I run oowriter with "--backtrace" I get the following:

<snip>
warning: Currently logging to gdbtrace.log.  Turn the logging off and on to make the new setting effective.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffe090c700 (LWP 22474)]
Detaching after fork from child process 22475.
warning: Corrupted shared library list: 0x5555557986d0 != 0x5555557973f0
[New Thread 0x7fffd5be5700 (LWP 22480)]
[New Thread 0x7fffd53e4700 (LWP 22481)]
[New Thread 0x7fffce763700 (LWP 22484)]
[New Thread 0x7fffcdf62700 (LWP 22485)]
[New Thread 0x7fffbbfff700 (LWP 22499)]
[New Thread 0x7fffba5b2700 (LWP 22502)]
[Thread 0x7fffd5be5700 (LWP 22480) exited]
Detaching after fork from child process 22507.
[New Thread 0x7fffd5be5700 (LWP 22513)]
[New Thread 0x7fffb266e700 (LWP 22515)]
[Thread 0x7fffb266e700 (LWP 22515) exited]

Program received signal SIGSEGV, Segmentation fault.
0x00007fffb2739dae in writerfilter::dmapper::DomainMapper_Impl::finishParagraph(std::shared_ptr<writerfilter::dmapper::PropertyMap>) () from /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#0  0x00007fffb2739dae in writerfilter::dmapper::DomainMapper_Impl::finishParagraph(std::shared_ptr<writerfilter::dmapper::PropertyMap>) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#1  0x00007fffb26f9e37 in writerfilter::dmapper::DomainMapper::lcl_utext(unsigned char const*, unsigned long) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#2  0x00007fffb27d16ca in writerfilter::ooxml::OOXMLFastContextHandler::endOfParagraph() () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#3  0x00007fffb27cf43d in writerfilter::ooxml::OOXMLFactory::endAction(writerfilter::ooxml::OOXMLFastContextHandler*, int) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#4  0x00007fffbab1bd50 in (anonymous namespace)::Entity::endElement() () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#5  0x00007fffee67ce13 in xmlParseEndTag2 () at /lib64/libxml2.so.2
#6  0x00007fffee68299f in xmlParseTryOrFinish () at /lib64/libxml2.so.2
#7  0x00007fffee6844bb in xmlParseChunk () at /lib64/libxml2.so.2
#8  0x00007fffbab1dc45 in sax_fastparser::FastSaxParserImpl::parse() () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#9  0x00007fffbab21265 in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#10 0x00007fffb27cd3f4 in writerfilter::ooxml::OOXMLDocumentImpl::resolve(writerfilter::Stream&) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#11 0x00007fffb27bfa6c in WriterFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#12 0x00007ffff467c471 in SfxObjectShell::ImportFrom(SfxMedium&, com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#13 0x00007ffff46814ce in SfxObjectShell::DoLoad(SfxMedium*) () at /usr/lib64/libreoffice/program/libsfxlo.so
#14 0x00007ffff46b474f in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#15 0x00007ffff473d26f in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#16 0x00007fffcd150b6b in framework::LoadEnv::impl_loadContent() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#17 0x00007fffcd151878 in framework::LoadEnv::startLoading() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#18 0x00007fffcd0e372d in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#19 0x00007fffcd0e4568 in framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#20 0x00007ffff5a7654d in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/libcomphelper.so
#21 0x00007ffff7933c22 in desktop::DispatchWatcher::executeDispatchRequests(std::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#22 0x00007ffff793ed60 in desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#23 0x00007ffff791af78 in desktop::Desktop::OpenClients() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#24 0x00007ffff791c250 in desktop::Desktop::OpenClients_Impl(void*) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#25 0x00007ffff266e0eb in ImplWindowFrameProc(vcl::Window*, SalFrame*, unsigned short, void const*) () at /usr/lib64/libreoffice/program/libvcllo.so
#26 0x00007ffff28d6df6 in SalGenericDisplay::DispatchInternalEvent() () at /usr/lib64/libreoffice/program/libvcllo.so
#27 0x00007fffd934b2f9 in GtkData::userEventFn(void*) () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#28 0x00007fffd934b371 in call_userEventFn () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#29 0x00007fffeb5d1e3a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#30 0x00007fffeb5d21d0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#31 0x00007fffeb5d227c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#32 0x00007fffd934a7f7 in GtkData::Yield(bool, bool) () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#33 0x00007ffff28666e1 in Application::Yield() () at /usr/lib64/libreoffice/program/libvcllo.so
#34 0x00007ffff2866775 in Application::Execute() () at /usr/lib64/libreoffice/program/libvcllo.so
#35 0x00007ffff791d6eb in desktop::Desktop::Main() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#36 0x00007ffff286b731 in ImplSVMain() () at /usr/lib64/libreoffice/program/libvcllo.so
#37 0x00007ffff286b782 in SVMain() () at /usr/lib64/libreoffice/program/libvcllo.so
#38 0x00007ffff79430f2 in soffice_main () at /usr/lib64/libreoffice/program/libsofficeapp.so
#39 0x000055555555483b in main ()

Thread 9 (Thread 0x7fffd5be5700 (LWP 22513)):
#0  0x00007ffff7329eb9 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libpthread.so.0
#1  0x00007ffff7bae1be in osl_waitCondition () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#2  0x00007fffcd103e33 in framework::WakeUpThread::execute() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#3  0x00007ffff4e23b26 in salhelper::Thread::run() () at /usr/lib64/libreoffice/program/libuno_salhelpergcc3.so.3
#4  0x00007ffff4e23d2a in threadFunc () at /usr/lib64/libreoffice/program/libuno_salhelpergcc3.so.3
#5  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#6  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#7  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 8 (Thread 0x7fffba5b2700 (LWP 22502)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffd769d05c in x11::SelectionManager::dispatchEvent(int) () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#2  0x00007fffd769d2fd in x11::SelectionManager::run(void*) () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#3  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#4  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#5  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 7 (Thread 0x7fffbbfff700 (LWP 22499)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffd7681665 in ICEConnectionWorker () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#2  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#4  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 6 (Thread 0x7fffcdf62700 (LWP 22485)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffeb5d216c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007fffeb5d24f2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#3  0x00007fffebbf3336 in gdbus_shared_thread_func () at /lib64/libgio-2.0.so.0
#4  0x00007fffeb5f8835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 5 (Thread 0x7fffce763700 (LWP 22484)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
...skipping...
#7  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 8 (Thread 0x7fffba5b2700 (LWP 22886)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffd769d05c in x11::SelectionManager::dispatchEvent(int) () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#2  0x00007fffd769d2fd in x11::SelectionManager::run(void*) () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#3  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#4  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#5  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 7 (Thread 0x7fffbbfff700 (LWP 22883)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffd7681665 in ICEConnectionWorker () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#2  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#4  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 6 (Thread 0x7fffcdf62700 (LWP 22870)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffeb5d216c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007fffeb5d24f2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#3  0x00007fffebbf3336 in gdbus_shared_thread_func () at /lib64/libgio-2.0.so.0
#4  0x00007fffeb5f8835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 5 (Thread 0x7fffce763700 (LWP 22869)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffeb5d216c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007fffeb5d227c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#3  0x00007fffeb5d22b9 in glib_worker_main () at /lib64/libglib-2.0.so.0
#4  0x00007fffeb5f8835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 4 (Thread 0x7fffd53e4700 (LWP 22866)):
#0  0x00007ffff763d71d in accept () at /lib64/libc.so.6
#1  0x00007ffff7bb4974 in osl_acceptPipe () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#2  0x00007ffff793fd05 in desktop::OfficeIPCThread::execute() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#3  0x00007ffff4e23b26 in salhelper::Thread::run() () at /usr/lib64/libreoffice/program/libuno_salhelpergcc3.so.3
#4  0x00007ffff4e23d2a in threadFunc () at /usr/lib64/libreoffice/program/libuno_salhelpergcc3.so.3
#5  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#6  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#7  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 2 (Thread 0x7fffe090c700 (LWP 22859)):
#0  0x00007ffff7329eb9 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libpthread.so.0
#1  0x00007ffff7b96bfb in rtl_cache_wsupdate_all(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#2  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#3  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 1 (Thread 0x7ffff7f06a40 (LWP 22841)):
#0  0x00007fffb2739dae in writerfilter::dmapper::DomainMapper_Impl::finishParagraph(std::shared_ptr<writerfilter::dmapper::PropertyMap>) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#1  0x00007fffb26f9e37 in writerfilter::dmapper::DomainMapper::lcl_utext(unsigned char const*, unsigned long) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#2  0x00007fffb27d16ca in writerfilter::ooxml::OOXMLFastContextHandler::endOfParagraph() () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#3  0x00007fffb27cf43d in writerfilter::ooxml::OOXMLFactory::endAction(writerfilter::ooxml::OOXMLFastContextHandler*, int) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#4  0x00007fffbab1bd50 in (anonymous namespace)::Entity::endElement() () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#5  0x00007fffee67ce13 in xmlParseEndTag2 () at /lib64/libxml2.so.2
#6  0x00007fffee68299f in xmlParseTryOrFinish () at /lib64/libxml2.so.2
#7  0x00007fffee6844bb in xmlParseChunk () at /lib64/libxml2.so.2
#8  0x00007fffbab1dc45 in sax_fastparser::FastSaxParserImpl::parse() () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#9  0x00007fffbab21265 in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#10 0x00007fffb27cd3f4 in writerfilter::ooxml::OOXMLDocumentImpl::resolve(writerfilter::Stream&) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#11 0x00007fffb27bfa6c in WriterFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#12 0x00007ffff467c471 in SfxObjectShell::ImportFrom(SfxMedium&, com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#13 0x00007ffff46814ce in SfxObjectShell::DoLoad(SfxMedium*) () at /usr/lib64/libreoffice/program/libsfxlo.so
#14 0x00007ffff46b474f in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#15 0x00007ffff473d26f in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#16 0x00007fffcd150b6b in framework::LoadEnv::impl_loadContent() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#17 0x00007fffcd151878 in framework::LoadEnv::startLoading() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#18 0x00007fffcd0e372d in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#19 0x00007fffcd0e4568 in framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#20 0x00007ffff5a7654d in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/libcomphelper.so
#21 0x00007ffff7933c22 in desktop::DispatchWatcher::executeDispatchRequests(std::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#22 0x00007ffff793ed60 in desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#23 0x00007ffff791af78 in desktop::Desktop::OpenClients() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#24 0x00007ffff791c250 in desktop::Desktop::OpenClients_Impl(void*) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#25 0x00007ffff266e0eb in ImplWindowFrameProc(vcl::Window*, SalFrame*, unsigned short, void const*) () at /usr/lib64/libreoffice/program/libvcllo.so
#26 0x00007ffff28d6df6 in SalGenericDisplay::DispatchInternalEvent() () at /usr/lib64/libreoffice/program/libvcllo.so
#27 0x00007fffd934b2f9 in GtkData::userEventFn(void*) () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#28 0x00007fffd934b371 in call_userEventFn () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#29 0x00007fffeb5d1e3a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#30 0x00007fffeb5d21d0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#31 0x00007fffeb5d227c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#32 0x00007fffd934a7f7 in GtkData::Yield(bool, bool) () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#33 0x00007ffff28666e1 in Application::Yield() () at /usr/lib64/libreoffice/program/libvcllo.so
#34 0x00007ffff2866775 in Application::Execute() () at /usr/lib64/libreoffice/program/libvcllo.so
#35 0x00007ffff791d6eb in desktop::Desktop::Main() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#36 0x00007ffff286b731 in ImplSVMain() () at /usr/lib64/libreoffice/program/libvcllo.so
#37 0x00007ffff286b782 in SVMain() () at /usr/lib64/libreoffice/program/libvcllo.so
#38 0x00007ffff79430f2 in soffice_main () at /usr/lib64/libreoffice/program/libsofficeapp.so
#39 0x000055555555483b in main ()
A debugging session is active.

        Inferior 1 [process 22841] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]
...skipping...
#7  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 8 (Thread 0x7fffba5b2700 (LWP 22886)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffd769d05c in x11::SelectionManager::dispatchEvent(int) () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#2  0x00007fffd769d2fd in x11::SelectionManager::run(void*) () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#3  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#4  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#5  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 7 (Thread 0x7fffbbfff700 (LWP 22883)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffd7681665 in ICEConnectionWorker () at /usr/lib64/libreoffice/program/libvclplug_genlo.so
#2  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#4  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 6 (Thread 0x7fffcdf62700 (LWP 22870)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffeb5d216c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007fffeb5d24f2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#3  0x00007fffebbf3336 in gdbus_shared_thread_func () at /lib64/libgio-2.0.so.0
#4  0x00007fffeb5f8835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 5 (Thread 0x7fffce763700 (LWP 22869)):
#0  0x00007ffff7630fdd in poll () at /lib64/libc.so.6
#1  0x00007fffeb5d216c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007fffeb5d227c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#3  0x00007fffeb5d22b9 in glib_worker_main () at /lib64/libglib-2.0.so.0
#4  0x00007fffeb5f8835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 4 (Thread 0x7fffd53e4700 (LWP 22866)):
#0  0x00007ffff763d71d in accept () at /lib64/libc.so.6
#1  0x00007ffff7bb4974 in osl_acceptPipe () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#2  0x00007ffff793fd05 in desktop::OfficeIPCThread::execute() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#3  0x00007ffff4e23b26 in salhelper::Thread::run() () at /usr/lib64/libreoffice/program/libuno_salhelpergcc3.so.3
#4  0x00007ffff4e23d2a in threadFunc () at /usr/lib64/libreoffice/program/libuno_salhelpergcc3.so.3
#5  0x00007ffff7bbcd57 in osl_thread_start_Impl(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#6  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#7  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 2 (Thread 0x7fffe090c700 (LWP 22859)):
#0  0x00007ffff7329eb9 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libpthread.so.0
#1  0x00007ffff7b96bfb in rtl_cache_wsupdate_all(void*) () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#2  0x00007ffff732460a in start_thread () at /lib64/libpthread.so.0
#3  0x00007ffff763ca4d in clone () at /lib64/libc.so.6

Thread 1 (Thread 0x7ffff7f06a40 (LWP 22841)):
#0  0x00007fffb2739dae in writerfilter::dmapper::DomainMapper_Impl::finishParagraph(std::shared_ptr<writerfilter::dmapper::PropertyMap>) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#1  0x00007fffb26f9e37 in writerfilter::dmapper::DomainMapper::lcl_utext(unsigned char const*, unsigned long) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#2  0x00007fffb27d16ca in writerfilter::ooxml::OOXMLFastContextHandler::endOfParagraph() () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#3  0x00007fffb27cf43d in writerfilter::ooxml::OOXMLFactory::endAction(writerfilter::ooxml::OOXMLFastContextHandler*, int) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#4  0x00007fffbab1bd50 in (anonymous namespace)::Entity::endElement() () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#5  0x00007fffee67ce13 in xmlParseEndTag2 () at /lib64/libxml2.so.2
#6  0x00007fffee68299f in xmlParseTryOrFinish () at /lib64/libxml2.so.2
#7  0x00007fffee6844bb in xmlParseChunk () at /lib64/libxml2.so.2
#8  0x00007fffbab1dc45 in sax_fastparser::FastSaxParserImpl::parse() () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#9  0x00007fffbab21265 in sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource const&) () at /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#10 0x00007fffb27cd3f4 in writerfilter::ooxml::OOXMLDocumentImpl::resolve(writerfilter::Stream&) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#11 0x00007fffb27bfa6c in WriterFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/../program/libwriterfilterlo.so
#12 0x00007ffff467c471 in SfxObjectShell::ImportFrom(SfxMedium&, com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#13 0x00007ffff46814ce in SfxObjectShell::DoLoad(SfxMedium*) () at /usr/lib64/libreoffice/program/libsfxlo.so
#14 0x00007ffff46b474f in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#15 0x00007ffff473d26f in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) () at /usr/lib64/libreoffice/program/libsfxlo.so
#16 0x00007fffcd150b6b in framework::LoadEnv::impl_loadContent() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#17 0x00007fffcd151878 in framework::LoadEnv::startLoading() () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#18 0x00007fffcd0e372d in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#19 0x00007fffcd0e4568 in framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/../program/libfwklo.so
#20 0x00007ffff5a7654d in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () at /usr/lib64/libreoffice/program/libcomphelper.so
#21 0x00007ffff7933c22 in desktop::DispatchWatcher::executeDispatchRequests(std::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#22 0x00007ffff793ed60 in desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#23 0x00007ffff791af78 in desktop::Desktop::OpenClients() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#24 0x00007ffff791c250 in desktop::Desktop::OpenClients_Impl(void*) () at /usr/lib64/libreoffice/program/libsofficeapp.so
#25 0x00007ffff266e0eb in ImplWindowFrameProc(vcl::Window*, SalFrame*, unsigned short, void const*) () at /usr/lib64/libreoffice/program/libvcllo.so
#26 0x00007ffff28d6df6 in SalGenericDisplay::DispatchInternalEvent() () at /usr/lib64/libreoffice/program/libvcllo.so
#27 0x00007fffd934b2f9 in GtkData::userEventFn(void*) () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#28 0x00007fffd934b371 in call_userEventFn () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#29 0x00007fffeb5d1e3a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#30 0x00007fffeb5d21d0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#31 0x00007fffeb5d227c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#32 0x00007fffd934a7f7 in GtkData::Yield(bool, bool) () at /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#33 0x00007ffff28666e1 in Application::Yield() () at /usr/lib64/libreoffice/program/libvcllo.so
#34 0x00007ffff2866775 in Application::Execute() () at /usr/lib64/libreoffice/program/libvcllo.so
#35 0x00007ffff791d6eb in desktop::Desktop::Main() () at /usr/lib64/libreoffice/program/libsofficeapp.so
#36 0x00007ffff286b731 in ImplSVMain() () at /usr/lib64/libreoffice/program/libvcllo.so
#37 0x00007ffff286b782 in SVMain() () at /usr/lib64/libreoffice/program/libvcllo.so
#38 0x00007ffff79430f2 in soffice_main () at /usr/lib64/libreoffice/program/libsofficeapp.so
#39 0x000055555555483b in main ()
A debugging session is active.

        Inferior 1 [process 22841] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]
</snip>

Comment 1 Lennart Poettering 2016-10-09 13:41:05 UTC

Created attachment 127892 [details]
gdbtrace.log as attachment, without additional line breaks

I also attached the gdbtrace.log output here as an attachment, might be easier to read than the inline paste, given the line breaks that added.

Comment 2 m_a_riosv 2016-10-09 16:57:41 UTC

Open in Win10x64 with:
Versión: 5.0.6.2 (x64)
Id. de compilación: b3fbfa99158a1030fb79f0ba72b6851afc3c7895-GL
Configuración regional: es-ES (es_ES)
Version: 5.1.6.1 (x64)
Build ID: f3e25ec0581f5012f54d8810dcddd5824f4ee374
CPU Threads: 1; OS Version: Windows 6.19; UI Render: default; 
Locale: es-ES (es_ES); Calc: CL
Version: 5.2.2.2 (x64)
Build ID: 8f96e87c890bf8fa77463cd4b640a2312823f3ad
CPU Threads: 1; OS Version: Windows 6.19; UI Render: GL; 
Locale: es-ES (es_ES); Calc: CL

Crash with:
Version: 5.3.0.0.alpha0+
Build ID: ed5ca17dce1d088ce3fbbb3a30f748ba92cd07d9
CPU Threads: 4; OS Version: Windows 6.19; UI Render: default; 
TinderBox: Win-x86@42, Branch:master, Time: 2016-10-09_05:40:51
Locale: es-ES (es_ES); Calc: CL

Comment 3 Buovjaga 2016-10-09 18:46:54 UTC

Repro crash.

Arch Linux 64-bit
LibreOffice 3.3.0 
OOO330m19 (Build:6)
tag libreoffice-3.3.0.4

Arch Linux 64-bit, KDE Plasma 5
Version: 5.3.0.0.alpha0+
Build ID: ff2a399b61f34f7920e594e8cbb6c19045b24956
CPU Threads: 8; OS Version: Linux 4.7; UI Render: default; 
Locale: fi-FI (fi_FI.UTF-8); Calc: group
Built on October 7th 2016

Comment 4 MM 2016-10-09 18:54:35 UTC

Unconfirmed with v3.3.4 under windows 7 x64.
Unconfirmed with v5.1.5.2 under windows 7 x64.
Unconfirmed with v5.2.2.2 under windows 10 x64.

Loads just fine on these configs, might crash on others.

Comment 5 Yousuf Philips (jay) (retired) 2016-10-09 21:38:32 UTC

On Windows 8.1, it loads the document in 3.6.7, 4.2.8, 5.2.1 but its missing around 8 pages and with master the loading document progress bar would sit at 95% and wont go any further. On Linux it crashes when loading.

Comment 6 Yousuf Philips (jay) (retired) 2016-10-09 21:49:43 UTC

Created attachment 127904 [details]
sample docx without footnotes

So i decided to play with the xml and deleted /word/footnotes.xml and remove all the <w:footnoteReference> tags from /word/document.xml and the document opened fine with all its pages on linux, so hopefully that narrows it down.

Comment 7 MM 2016-10-09 22:40:11 UTC

Re-tested with v5.2.2.2 under ubuntu 16.04 x64. Indeed the crash doesn't exists anymore w/o footnotes.

Comment 8 Julien Nabet 2016-10-10 20:00:16 UTC

Created attachment 127933 [details]
console bt logs

On pc Debian x86-64 with master sources updated today, I could reproduce this.
I attached a bt with symbols (+ console logs)

Comment 9 Timur 2017-01-17 11:45:57 UTC

The first question on these "filepen MS/OOXML file" should be the source and file history. This docx has 366 errors on OpenXML validation. 
Surely, LO shouldn't crash and bug is valid. 
crashreport.libreoffice.org/stats/crash_details/69dbc810-65ae-48ad-a8e4-4476da4910b4
Other similar crashes: http://crashreport.libreoffice.org/stats/signature/writerfilter::dmapper::DomainMapper_Impl::finishParagraph%28std::shared_ptr%3Cwriterfilter::dmapper::PropertyMap%3E%20const%20&%29

Comment 10 Commit Notification 2017-01-17 11:51:21 UTC

Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=4b3e8de6b3cb971b02aa0cb90aceb9e104071d3b

Resolves: tdf#103063 don't crash on importing this file

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 11 Xisco Faulí 2017-01-17 21:13:43 UTC

Verified in

Version: 5.4.0.0.alpha0+
Build ID: 4b3e8de6b3cb971b02aa0cb90aceb9e104071d3b
CPU Threads: 4; OS Version: Linux 4.8; UI Render: default; VCL: gtk2; 
Locale: ca-ES (ca_ES.UTF-8); Calc: group

SAXParseException is the same as in bug 104181

Comment 12 Xisco Faulí 2017-01-18 09:35:44 UTC

Hi Caolán,
Can it be backported to 5.3?

Comment 13 Timur 2017-01-19 09:40:13 UTC

Caolánwrote "doesn't go on to successfully open the docx, but it doesn't crash" which if fine for me because "we don't know this file source and history and it has 366 errors on OpenXML validation."

But, there's sth. I don't understand: after "file format error message", why is there "loading document..." in status bar, until we open some other file?

Comment 14 Xisco Faulí 2017-02-07 10:56:50 UTC

Verified in

Version: 5.4.0.0.alpha0+
Build ID: fc53cce64400430cdc21f79c959d75fb9a26d13d
CPU Threads: 4; OS Version: Linux 4.8; UI Render: default; VCL: gtk2; 
Locale: ca-ES (ca_ES.UTF-8); Calc: group

Comment 15 Yousuf Philips (jay) (retired) 2017-07-27 21:32:02 UTC

(In reply to Timur from comment #13)
> Caolánwrote "doesn't go on to successfully open the docx, but it doesn't
> crash" which if fine for me because "we don't know this file source and
> history and it has 366 errors on OpenXML validation."

According to app.xml in attachment 127891 [details], the file was modified by LibreOffice 5.1.4.2 on Windows, but as it has <Template>Normal.dotm</Template>, it was mostly likely created in MS Word, so it is likely that LO produced these errors when saving.