Description: Open the attached .ppt file w/ LibreOffice on Windows, the app crashed. See the Windbg output in attached pic. I then did a quick & manual test on the latest LibreOffice version (25.8.4), and it seems to me this is a null pointer dereference bug rather than an exploitable one. However, I still recommend that folks from the LibreOffice team take a closer look (just to be sure, because mine was a very quick analysis), and fix the crash (it's not ideal for your application to crash when processing a file). More background: https://x.com/HaifeiLi/status/2009520244562514295 Steps to Reproduce: Open the attached .ppt file w/ LibreOffice on Windows. Actual Results: The app crashed. Expected Results: Should not crash. Reproducible: Always User Profile Reset: No Additional Info: See attached Windbg output.
Created attachment 204990 [details] PoC sample
Created attachment 204991 [details] Windbg output
Confir with Version: 26.8.0.0.alpha0+ (X86_64) Build ID: c8694e248756d80c2b12b43dc5499a249af47a71 CPU threads: 4; OS: Linux 6.8; UI render: default; VCL: gtk3 Locale: cs-CZ (cs_CZ.UTF-8); UI: en-US Calc: threaded I can open file with 7.3.7
Reproducible Version: 25.8.4.2 (X86_64) Build ID: 290daaa01b999472f0c7a3890eb6a550fd74c6df CPU threads: 4; OS: Windows 10 X86_64 (build 19045); UI render: Skia/Raster; VCL: win Locale: es-ES (es_ES); UI: en-US Calc: CL threaded Version: 26.8.0.0.alpha0+ (X86_64) Build ID: 680(Build:0) CPU threads: 4; OS: Windows 10 X86_64 (build 19045); UI render: Skia/Raster; VCL: win Locale: es-ES (es_ES); UI: en-US Calc: CL threaded Latest version installed that works for me: Version: 6.4.7.2 (x64) Build ID: 639b8ac485750d5696d7590a72ef1b496725cfb5 CPU threads: 4; OS: Windows 10.0 Build 19045; UI render: GL; VCL: win; Locale: es-ES (es_ES); UI-Language: en-US Calc: threaded
bibisected with linux-64-7.4 commit 9a9bb1f212bb7eb40dcf34c15a3422e633fc195d author Noel Grandin no need to have duplicate m_nStorageType fields *** adding CC: Noel Grandin Please, take a look? I get an error message. terminate called after throwing an instance of 'com::sun::star::uno::RuntimeException'
Noel Grandin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/9b90b680e5703f58146c883fb33972a95951b446 tdf#170283 crashed when opening a .ppt file It will be available in 26.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-25-8": https://git.libreoffice.org/core/commit/3a1e9ea688adec439500011541b36888570d6fc5 tdf#170283 crashed when opening a .ppt file It will be available in 25.8.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-26-2": https://git.libreoffice.org/core/commit/3481ade183e8d6ef0b234512b92ad5c24c490698 tdf#170283 crashed when opening a .ppt file It will be available in 26.2.0.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.