147609 – Advanced Diagram leak

Bug 147609 - Advanced Diagram leak

Summary: Advanced Diagram leak

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	filters and storage (show other bugs)
Version: (earliest affected)	7.4.0.0 alpha0+
Hardware:	All All

Importance:	medium normal
Assignee:	Caolán McNamara

URL:
Whiteboard:	target:7.4.0
Keywords:

Depends on:
Blocks:

Reported:	2022-02-23 09:55 UTC by Caolán McNamara
Modified:	2022-02-24 09:17 UTC (History)
CC List:	1 user (show)

See Also:
Crash report or crash signature:

Attachments
reproducer (9.54 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document) 2022-02-23 09:55 UTC, Caolán McNamara	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Caolán McNamara 2022-02-23 09:55:17 UTC

Description:
oss-fuzz detected a leak after: "Advanced Diagram support: first additions/reorganizations" was merged

Steps to Reproduce:
1. LD_LIBRARY_PATH=`pwd`/instdir/program valgrind --leak-check=full instdir/program/fftester ~/Downloads/clusterfuzz-testcase-minimized-docxfuzzer-5609226540548096 docx

Actual Results:
==1504038== 163,004 (64 direct, 162,940 indirect) bytes in 1 blocks are definitely lost in loss record 2,580 of 2,581
==1504038==    at 0x4844FF5: operator new(unsigned long) (vg_replace_malloc.c:422)
==1504038==    by 0x2B3913EF: __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<int const, com::sun::star::uno::Any> > >::allocate(unsigned long, void const*) (new_allocator.h:127)
==1504038==    by 0x2B391380: std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<int const, com::sun::star::uno::Any> > > >::allocate(std::allocator<std::_Rb_tree_node<std::pair<int const, com::sun::star::uno::Any> > >&, unsigned long) (alloc_traits.h:464)
==1504038==    by 0x2B391271: std::_Rb_tree<int, std::pair<int const, com::sun::star::uno::Any>, std::_Select1st<std::pair<int const, com::sun::star::uno::Any> >, std::less<int>, std::allocator<std::pair<int const, com::sun::star::uno::Any> > >::_M_get_node() (stl_tree.h:561)
==1504038==    by 0x2B390D14: std::_Rb_tree_node<std::pair<int const, com::sun::star::uno::Any> >* std::_Rb_tree<int, std::pair<int const, com::sun::star::uno::Any>, std::_Select1st<std::pair<int const, com::sun::star::uno::Any> >, std::less<int>, std::allocator<std::pair<int const, com::sun::star::uno::Any> > >::_M_create_node<std::piecewise_construct_t const&, std::tuple<int const&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<int const&>&&, std::tuple<>&&) (stl_tree.h:611)
==1504038==    by 0x2B390900: std::_Rb_tree_iterator<std::pair<int const, com::sun::star::uno::Any> > std::_Rb_tree<int, std::pair<int const, com::sun::star::uno::Any>, std::_Select1st<std::pair<int const, com::sun::star::uno::Any> >, std::less<int>, std::allocator<std::pair<int const, com::sun::star::uno::Any> > >::_M_emplace_hint_unique<std::piecewise_construct_t const&, std::tuple<int const&>, std::tuple<> >(std::_Rb_tree_const_iterator<std::pair<int const, com::sun::star::uno::Any> >, std::piecewise_construct_t const&, std::tuple<int const&>&&, std::tuple<>&&) (stl_tree.h:2429)
==1504038==    by 0x2B3900B1: std::__cxx1998::map<int, com::sun::star::uno::Any, std::less<int>, std::allocator<std::pair<int const, com::sun::star::uno::Any> > >::operator[](int const&) (stl_map.h:501)
==1504038==    by 0x2B5DD51C: bool oox::PropertyMap::setProperty<float>(int, float&&) (propertymap.hxx:74)
==1504038==    by 0x2B5C49AE: oox::drawingml::Shape::setDefaults(bool) (shape.cxx:256)
==1504038==    by 0x2B5C473C: oox::drawingml::Shape::Shape(char const*, bool) (shape.cxx:149)
==1504038==    by 0x2B3674D1: void __gnu_cxx::new_allocator<oox::drawingml::Shape>::construct<oox::drawingml::Shape>(oox::drawingml::Shape*) (new_allocator.h:162)
==1504038==    by 0x2B36729C: void std::allocator_traits<std::allocator<oox::drawingml::Shape> >::construct<oox::drawingml::Shape>(std::allocator<oox::drawingml::Shape>&, oox::drawingml::Shape*) (alloc_traits.h:516)


Expected Results:
no leak


Reproducible: Always


User Profile Reset: Yes



Additional Info:
Version: 7.4.0.0.alpha0+ / LibreOffice Community
Build ID: dfff55fa2b81d42033461536b8705cb9e6cb673e
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-GB (en_GB.UTF-8); UI: en-US
Calc: threaded

Comment 1 Caolán McNamara 2022-02-23 09:55:44 UTC

Created attachment 178472 [details]
reproducer

Comment 2 Caolán McNamara 2022-02-23 10:00:01 UTC

https://gerrit.libreoffice.org/c/core/+/130413 does seem to work to solve this FWIW

Comment 3 Commit Notification 2022-02-24 09:13:19 UTC

Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/76e11015a877da0eee21bb97b84a0f17bce41760

tdf#147609 and ofz#44965 Indirect-leak

It will be available in 7.4.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.