Bug 144271 - leaks of SwTextBoxHelper
Summary: leaks of SwTextBoxHelper
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
(earliest affected) alpha0+
Hardware: All All
: medium normal
Assignee: Attila Bakos (NISZ)
Whiteboard: target:7.3.0
Depends on:
Reported: 2021-09-02 13:39 UTC by Caolán McNamara
Modified: 2021-12-05 08:05 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:

case 1 (23.22 KB, application/zip)
2021-09-02 13:39 UTC, Caolán McNamara
case 2 (10.18 KB, application/zip)
2021-09-02 13:40 UTC, Caolán McNamara
case 3 (23.25 KB, application/zip)
2021-09-02 13:40 UTC, Caolán McNamara
case 4 (48.32 KB, application/zip)
2021-09-02 13:40 UTC, Caolán McNamara
memory check after the fix (68.89 KB, text/plain)
2021-11-24 10:54 UTC, László Németh

Note You need to log in before you can comment on or make changes to this bug.
Description Caolán McNamara 2021-09-02 13:39:12 UTC
oss-fuzz has detected leaks of SwTextBoxHelper when fuzzing .docx.

These seem to have begun since: https://gerrit.libreoffice.org/c/core/+/120452

commit 504d78acb866495fd954fcd6db22ea68f174a5ab
Author: Attila Bakos (NISZ) <bakos.attilakaroly@nisz.hu>
Date:   Fri Aug 13 14:11:24 2021 +0200

    tdf#143574 sw: textboxes in group shapes - part 1

Steps to Reproduce:
This i bit of a pain to reproduce because they are generated documents, but under Linux see vcl/workben/fftester.cxx and

1 cp workdir/LinkTarget/Executable/fftester instdir/program
2 LD_LIBRARY_PATH=`pwd`/instdir/program valgrind --leak-check=yes instdir/program/fftester ~/Downloads/DOCUMENT docx

where for DOCUMENT substitute one of the attachments

Actual Results:
==738289== 88 (64 direct, 24 indirect) bytes in 1 blocks are definitely lost in loss record 1,623 of 2,437
==738289==    at 0x4840FF5: operator new(unsigned long) (vg_replace_malloc.c:417)
==738289==    by 0x1CFCAC74: SwTextBoxHelper::create(SwFrameFormat*, SdrObject*, bool) (textboxhelper.cxx:119)
==738289==    by 0x1D868D58: SwXShape::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&) (unodraw.cxx:1169)
==738289==    by 0x22DD540F: SvxShape::setPropertyValues(com::sun::star::uno::Sequence<rtl::OUString> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (unoshape.cxx:1815)
==738289==    by 0x2B0D1937: oox::PropertySet::setProperties(com::sun::star::uno::Sequence<rtl::OUString> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (propertyset.cxx:82)
==738289==    by 0x2B0D1C23: oox::PropertySet::setProperties(oox::PropertyMap const&) (propertyset.cxx:105)

Expected Results:
no leak

Reproducible: Always

User Profile Reset: No

Additional Info:
if this work is something that isn't complete yet then maybe it could be only enabled if the experimental setting is set?
Comment 1 Caolán McNamara 2021-09-02 13:39:45 UTC
Created attachment 174733 [details]
case 1
Comment 2 Caolán McNamara 2021-09-02 13:40:03 UTC
Created attachment 174734 [details]
case 2
Comment 3 Caolán McNamara 2021-09-02 13:40:21 UTC
Created attachment 174735 [details]
case 3
Comment 4 Caolán McNamara 2021-09-02 13:40:36 UTC
Created attachment 174736 [details]
case 4
Comment 5 Caolán McNamara 2021-09-02 13:42:53 UTC
The ownership seems complicated to me and I can't quite see who should have responsibility of the SwTextBoxNode* to try a fix myself.
Comment 6 Commit Notification 2021-09-16 10:57:17 UTC
Attila Bakos (NISZ) committed a patch related to this issue.
It has been pushed to "master":


tdf#143574 tdf#144271 sw: textboxes in group shapes - part 2

It will be available in 7.3.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:

Affected users are encouraged to test the fix and report feedback.
Comment 7 László Németh 2021-11-24 10:54:46 UTC
Created attachment 176463 [details]
memory check after the fix
Comment 8 László Németh 2021-11-24 10:58:42 UTC
With the fix, I haven't found those leaks running all the test cases, see the attached output for the first one. The clean-up part 3 was merged now:


Which works with nested grouping, too.

@Caolán: many thanks for the report and the details!
Comment 9 Caolán McNamara 2021-11-24 12:14:46 UTC
yeah, we can close this