Created attachment 138198 [details] test ods Calc crashes when I was tring to delete a sheet, in case the preceding sheet contains an image. Steps to reproduce: 1. Insert an image in sheet2; 2. Insert sheet2; 3. Delete sheet2. --> Crash. Version: 6.1.0.0.alpha0+ Build ID:6b3cc69fd2b2de5ace68f2739eb383267d66f76f CPU 线程:4; 操作系统:Linux 4.13; UI 渲染:默认; VCL: gtk3; Locale: zh-CN (zh_CN.UTF-8); Calc: group Fedora 26 x64
Created attachment 138199 [details] gdbtrace.log from dbgutil build Attached is a backtrace produced with a dbgutil build, hope it will be helpful. Also, I get the following in terminal: /usr/include/c++/7/debug/vector:424: Error: attempt to subscript container with out-of-bounds index 1, but container only holds 1 elements. Objects involved in the operation: sequence "this" @ 0x0x2859340 { type = std::__debug::vector<ScTable*, std::allocator<ScTable*> >; }
no crash with 6.0.0 beta1.
Confirmed with a recent 6.1 master build (226c4c010e805fb899ab065c3837241861d6d6db) / Ubuntu 17.04. Note that this might only occur in debug builds, since it refers to debug C++ STL code.
On pc Debian x86-64 with master sources updated today, I could reproduce this. In fact, there's no need to insert an image. 1) Create a brand new ods file 2) On initial sheet, select L12 cell 3) create a new sheet (cursor is automatically put on A1 of the new sheet) 4) delete the new sheet => crash
The gdb trace below shows that the pb is "nTab". Its value is 1 and should be 0 since there's only 1 sheet remaining and the count begins to 0 #5 0x00007fffc8f8b9aa in ScCellTextData::GetTextForwarder (this=0x555557dd6190) at /home/julien/lo/libreoffice/sc/source/ui/unoobj/textuno.cxx:969 969 sal_uInt32 nFormat = rDoc.GetNumberFormat(aCellPos); (gdb) p aCellPos $5 = {nRow = 11, nCol = 11, nTab = 1, static detailsOOOa1 = {eConv = formula::FormulaGrammar::CONV_OOO, nRow = 0, nCol = 0}}
I submitted a patch to review here: https://gerrit.libreoffice.org/#/c/45911 Let's wait for feedback now.
Julien Nabet committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c9f712bdfbad1ad16f0721d889167eb232917eab tdf#114228: fix crash when deleting sheet in specific case It will be available in 6.1.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Eike Rathke committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=7265e75f8b34cc1043b972478e8b499566660f86 Prevent out-of-bounds access, tdf#114228 related It will be available in 6.1.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Julien Nabet committed a patch related to this issue. It has been pushed to "libreoffice-6-0": http://cgit.freedesktop.org/libreoffice/core/commit/?id=b4e51cdaf859dfffee0561c51a72eb5c73ee23f4&h=libreoffice-6-0 tdf#114228: fix crash when deleting sheet in specific case It will be available in 6.0.0.1. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
For 5.4, waiting for review: https://gerrit.libreoffice.org/#/c/45977/
Verified fixed on master Version: 6.1.0.0.alpha0+ Build ID:9644f506ae31f1cacd6ab4c24b2591179791eebd CPU 线程:4; 操作系统:Linux 4.13; UI 渲染:默认; VCL: gtk2; Locale: zh-CN (zh_CN.UTF-8); Calc: group threaded
Eike Rathke committed a patch related to this issue. It has been pushed to "libreoffice-6-0": http://cgit.freedesktop.org/libreoffice/core/commit/?id=d17dfb3dc1cc7fd91ede9a58337d89e38fd3b022&h=libreoffice-6-0 Prevent out-of-bounds access, tdf#114228 related It will be available in 6.0.0.1. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Julien Nabet committed a patch related to this issue. It has been pushed to "libreoffice-5-4": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c195e84385c8917fab6f2091cab24d33f1e2bc6f&h=libreoffice-5-4 tdf#114228: fix crash when deleting sheet in specific case It will be available in 5.4.5. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.