107709 – MSO2003XML filter: FILEOPEN: assertion 'len >= 0' at sequence.cxx:664

Bug 107709 - MSO2003XML filter: FILEOPEN: assertion 'len >= 0' at sequence.cxx:664

Summary: MSO2003XML filter: FILEOPEN: assertion 'len >= 0' at sequence.cxx:664

Status:	VERIFIED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	filters and storage (show other bugs)
Version: (earliest affected)	3.5 all versions
Hardware:	All All

Importance:	highest critical
Assignee:	Michael Stahl (allotropia)

URL:
Whiteboard:	target:5.4.0 target:5.3.4
Keywords:	haveBacktrace, regression

Depends on:
Blocks:	MSO-XML2003
	Show dependency tree / graph

Reported:	2017-05-08 20:36 UTC by Terrence Enger
Modified:	2017-11-16 00:04 UTC (History)
CC List:	5 users (show)

See Also:
Crash report or crash signature:	["com::sun::star::uno::Sequence<signed char>::Sequence<signed char>(long)"]

Attachments
file provoking assertion (69.28 KB, text/xml) 2017-05-08 20:36 UTC, Terrence Enger	Details
gdb on the core file (27.84 KB, text/plain) 2017-05-08 20:39 UTC, Terrence Enger	Details
bt with debug symbols (12.08 KB, text/plain) 2017-05-09 21:09 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Terrence Enger 2017-05-08 20:36:51 UTC

Created attachment 133167 [details]
file provoking assertion

STR
---
(0) Optionally download word_2003.xml attached to this report and skip
    ahead to step (3).

(1) In Windows Vista, with MSWord 2003, open arn10887#2.rtf attached
    to bug 49666
    <http://bugs.documentfoundation.org/attachment.cgi?id=63853>.

(2) Save As ... type=xml, name=word_2003.xml.
    
(3) In Linux, open word_2003.xml from the command line.  Program
    crashes with messages (lines rewrapped) ...

        warn:vcl:2006:1:vcl/unx/generic/fontmanager/fontmanager.cxx:701:
            Could not OpenTTFont
            "/usr/share/fonts/woff/font-awesome/fontawesome-webfont.woff"
        'l' command is not supported currently, so we use 'L'. This may
            case problem.
        soffice.bin:
            /home/terry/lo_hacking/git/libo6/cppu/source/uno/sequence.cxx:664:
            sal_Bool uno_type_sequence_construct(uno_Sequence**,
            typelib_TypeDescriptionReference*, void*, sal_Int32,
            uno_AcquireFunc): Assertion `len >= 0' failed.
        warn:uui:2006:1:uui/source/iahndl.cxx:240:
            replaceMessageWithArguments: No arguments passed!
        Application Error

The 2017-05-07 daily build (i.e., non-dbgutil) terminates after the
"Fontconfig warning...", and so does 41max bibisect repository version
oldest.

The backtrace is from local build of commit eb35ead6, 2017-05-05,
configured ...
    CC=ccache /usr/bin/gcc
    CXX=ccache /usr/bin/g++
    --enable-option-checking=fatal
    --enable-dbgutil
    --enable-debug
    --without-system-postgresql
    --without-myspell-dicts
    --with-extra-buildid
    --without-doxygen
    --with-external-tar=/home/terry/lo_hacking/git/src
    --without-package-format
built and running on debian-stretch.

I am setting version "4.1 all versions" and keyword haveBacktrace.

Comment 1 Terrence Enger 2017-05-08 20:39:34 UTC

Created attachment 133168 [details]
gdb on the core file

Comment 2 Xisco Faulí 2017-05-09 11:40:35 UTC

Confirmed in

- Version: 5.4.0.0.alpha1+
Build ID: f12096272e684ddcd8ffa4e34dcb0a680cc594c2
CPU threads: 4; OS: Linux 4.8; UI render: default; VCL: gtk2; 
Locale: ca-ES (ca_ES.UTF-8); Calc: group


- Version 4.1.0.0.alpha0+ (Build ID: efca6f15609322f62a35619619a6d5fe5c9bd5a)

- LibreOffice 3.5.0 
Build ID: d6cde02

In 

LibreOffice 3.3.0 
OOO330m19 (Build:6)
tag libreoffice-3.3.0.4

I get a General Error. General Input/output error.

Also reproduced in

Versión: 5.3.2.2
Id. de compilación: 6cd4f1ef626f15116896b1d8e1398b56da0d0ee1
Subproc. CPU: 1; SO: Windows 6.1; Repr. de IU: predet.; Motor de trazado: HarfBuzz; 
Configuración regional: es-ES (es_ES); Calc: group

Comment 3 Terrence Enger 2017-05-09 11:55:32 UTC

(In reply to Xisco Faulí from comment #2)
> In 
> 
> LibreOffice 3.3.0 
> OOO330m19 (Build:6)
> tag libreoffice-3.3.0.4
> 
> I get a General Error. General Input/output error.

This seems to be the message that LibreOffice gives for any file that
it cannot open.  I think the wording could usefully be more specific,
to distinguish a merely nonsensical input file from a system-level
error; but that is the way it is.

So, I suggest that LO 3.3.0 is not showing this bug.  Thoughts?

Comment 4 Julien Nabet 2017-05-09 21:09:58 UTC

Created attachment 133202 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.
I attached bt + some gdb debug traces.

Comment 5 Julien Nabet 2017-05-09 21:11:36 UTC

Caolán: noticing a recent fix from you about OLE stuff, thought you might be interested in this one.
(of course, don't hesitate to uncc yourself if I'm wrong)

Comment 6 Michael Stahl (allotropia) 2017-05-10 20:01:56 UTC

though i can't test because of the jvmfwk Java version parsing bug,
i guess the old Java XSLT implementation in LO <= 3.4 didn't have *this* problem
-> regression

fixed on master

Comment 7 Commit Notification 2017-05-10 20:04:51 UTC

Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=088b898856a82d7ac4851a6e7dfe4d189d881f8e

tdf#107709 filter: MSO2003XML import: fix invalid OLE lengths

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 8 Julien Nabet 2017-05-11 20:15:11 UTC

On pc Debian x86-64 with master sources updated today, I don't reproduce this anymore.
Thank you Michael!

Comment 9 Terrence Enger 2017-05-11 23:30:29 UTC

Thank you, Michael and Julien.

With daily Linux dbgutil bibisect version 2017-05-11, the assertion no
longer fires, and LibreOffice even displays the document.

Comment 10 Commit Notification 2017-05-16 09:49:21 UTC

Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-5-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5d474fc14581eaceb1defa7eabf5bcd335143b2d&h=libreoffice-5-3

tdf#107709 filter: MSO2003XML import: fix invalid OLE lengths

It will be available in 5.3.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.