Crash reported by an "migration admin" from French governmental administration on MS-Windows with LibO 3.4.x From my side, reproduced on Ubuntu 10.04 x86_64 with LibO 3.4.x and master. Steps to reproduce: 1/ install some new theme to the gallery. I made my tests with this one: http://extensions.services.openoffice.org/fr/project/GalleryDangerSigns 2/ open a new empty text document 3/ open the gallery : menu Tools > Gallery 4/ Click on a theme (e.g. the first "Signalétique ...") to select it 5/ click on a graphic from this theme and move it to the end on the list 6/ repeat 5/ several times until LibO crashes Here is the output of gdb from a try with the master : ---> start of the output jbf@tux-laptop:~/LibO/code/install/program$ gdb --arg ./soffice.bin -env:UserInstallation=${MY_CONF} GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/jbf/LibO/code/solver/350/unxlngx6.pro/installation/opt/program/soffice.bin...done. (gdb) run Starting program: /home/jbf/LibO/code/solver/350/unxlngx6.pro/installation/opt/program/soffice.bin -env:UserInstallation=file:///home/jbf/.libreoffice/35/ [Thread debugging using libthread_db enabled] LibreOffice: Using system memory allocator. LibreOffice: This is for debugging only. To disable, LibreOffice: unset the environment variable G_SLICE. [New Thread 0x7fffedd2c700 (LWP 24182)] [New Thread 0x7fffe4d2f700 (LWP 24183)] [New Thread 0x7fffe452e700 (LWP 24184)] [Thread 0x7fffe4d2f700 (LWP 24183) exited] [New Thread 0x7fffe4d2f700 (LWP 24185)] [Thread 0x7fffe4d2f700 (LWP 24185) exited] [New Thread 0x7fffe4d2f700 (LWP 24187)] [New Thread 0x7fffdf86d700 (LWP 24188)] [New Thread 0x7fffd9ddd700 (LWP 24192)] [Thread 0x7fffd9ddd700 (LWP 24192) exited] [New Thread 0x7fffd9ddd700 (LWP 24193)] [Thread 0x7fffd9ddd700 (LWP 24193) exited] [New Thread 0x7fffd9ddd700 (LWP 24194)] [Thread 0x7fffd9ddd700 (LWP 24194) exited] [New Thread 0x7fffd9ddd700 (LWP 24195)] [New Thread 0x7fffd891a700 (LWP 24196)] [Thread 0x7fffd891a700 (LWP 24196) exited] [New Thread 0x7fffd891a700 (LWP 24197)] [Thread 0x7fffd891a700 (LWP 24197) exited] [Thread 0x7fffd9ddd700 (LWP 24195) exited] [New Thread 0x7fffd9ddd700 (LWP 24198)] [Thread 0x7fffd9ddd700 (LWP 24198) exited] [New Thread 0x7fffd9ddd700 (LWP 24199)] [Thread 0x7fffd9ddd700 (LWP 24199) exited] [New Thread 0x7fffd9ddd700 (LWP 24200)] [Thread 0x7fffd9ddd700 (LWP 24200) exited] [New Thread 0x7fffd9ddd700 (LWP 24201)] [Thread 0x7fffd9ddd700 (LWP 24201) exited] Program received signal SIGSEGV, Segmentation fault. GalleryTheme::ImplReadSgaObject (this=<value optimized out>, pEntry=0x411) at /home/jbf/LibO/code/svx/source/gallery2/galtheme.cxx:181 181 pIStm->Seek( pEntry->nOffset ); (gdb) continue Continuing. [Thread 0x7fffdf86d700 (LWP 24188) exited] [Thread 0x7fffe4d2f700 (LWP 24187) exited] [Thread 0x7fffe452e700 (LWP 24184) exited] [Thread 0x7fffedd2c700 (LWP 24182) exited] Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. <--- end of the output I can put the output of valgrind if needed. Best regards. JBF
Confirmed on LibreOffice 3.4 340m1(Build:103) for OpenSuse Linux. Followed the steps exactly and LO crashed.
Complete gdb output : jbf@tux-laptop:~/LibO/code/solver/350/unxlngx6.pro/installation/opt/program$ export MY_CONF=file:///home/jbf/.libreoffice/35/jbf@tux-laptop:~/LibO/code/solver/350/unxlngx6.pro/installation/opt/program$ gdb --arg ./soffice.bin -env:UserInstallation=${MY_CONF} GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/jbf/LibO/code/solver/350/unxlngx6.pro/installation/opt/program/soffice.bin...done. (gdb) run Starting program: /home/jbf/LibO/code/solver/350/unxlngx6.pro/installation/opt/program/soffice.bin -env:UserInstallation=file:///home/jbf/.libreoffice/35/ [Thread debugging using libthread_db enabled] [New Thread 0x7fffedd2c700 (LWP 3852)] [New Thread 0x7fffe40d4700 (LWP 3853)] [New Thread 0x7fffe38d3700 (LWP 3854)] [Thread 0x7fffe40d4700 (LWP 3853) exited] [New Thread 0x7fffe40d4700 (LWP 3855)] [Thread 0x7fffe40d4700 (LWP 3855) exited] [New Thread 0x7fffe40d4700 (LWP 3857)] [New Thread 0x7fffdb485700 (LWP 3862)] [Thread 0x7fffdb485700 (LWP 3862) exited] [New Thread 0x7fffdb485700 (LWP 3863)] [New Thread 0x7fffdaa48700 (LWP 3864)] [Thread 0x7fffdb485700 (LWP 3863) exited] [New Thread 0x7fffdb485700 (LWP 3865)] [Thread 0x7fffdb485700 (LWP 3865) exited] [New Thread 0x7fffdb485700 (LWP 3866)] [New Thread 0x7fffd6670700 (LWP 3867)] [Thread 0x7fffd6670700 (LWP 3867) exited] [Thread 0x7fffdb485700 (LWP 3866) exited] [New Thread 0x7fffdb485700 (LWP 3868)] [Thread 0x7fffdb485700 (LWP 3868) exited] [New Thread 0x7fffdb485700 (LWP 3869)] [Thread 0x7fffdb485700 (LWP 3869) exited] [New Thread 0x7fffdb485700 (LWP 3870)] [Thread 0x7fffdb485700 (LWP 3870) exited] [New Thread 0x7fffdb485700 (LWP 3872)] [Thread 0x7fffdb485700 (LWP 3872) exited] Program received signal SIGSEGV, Segmentation fault. GalleryTheme::ImplReadSgaObject (this=<value optimized out>, pEntry=0x408) at /home/jbf/LibO/code/svx/source/gallery2/galtheme.cxx:181 181 pIStm->Seek( pEntry->nOffset ); (gdb) thread apply all backtrace Thread 9 (Thread 0x7fffdaa48700 (LWP 3864)): #0 0x00007ffff6966f93 in *__GI___poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87 #1 0x00007fffe7fa8cba in ICEConnectionWorker () at /home/jbf/LibO/code/vcl/unx/generic/app/sm.cxx:681 #2 0x00007ffff7b8e1cc in osl_thread_start_Impl (pData=<value optimized out>) at thread.c:277 #3 0x00007ffff64729ca in start_thread (arg=<value optimized out>) at pthread_create.c:300 #4 0x00007ffff697370d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #5 0x0000000000000000 in ?? () Thread 6 (Thread 0x7fffe40d4700 (LWP 3857)): #0 0x00007ffff6966f93 in *__GI___poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=1000) at ../sysdeps/unix/sysv/linux/poll.c:87 #1 0x00007fffe7fc822d in x11::SelectionManager::dispatchEvent (this=0x7ffff7f07408, millisec=1000) at /home/jbf/LibO/code/vcl/unx/generic/dtrans/X11_selection.cxx:3739 #2 0x00007fffe7fc843e in x11::SelectionManager::run (pThis=<value optimized out>) at /home/jbf/LibO/code/vcl/unx/generic/dtrans/X11_selection.cxx:3777 #3 0x00007ffff7b8e1cc in osl_thread_start_Impl (pData=<value optimized out>) at thread.c:277 #4 0x00007ffff64729ca in start_thread (arg=<value optimized out>) at pthread_create.c:300 #5 0x00007ffff697370d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #6 0x0000000000000000 in ?? () Thread 4 (Thread 0x7fffe38d3700 (LWP 3854)): ---Type <return> to continue, or q <return> to quit--- #0 0x00007ffff69742cd in accept () at ../sysdeps/unix/syscall-template.S:82 #1 0x00007ffff7b93e82 in osl_acceptPipe (pPipe=0x6d40f0) at pipe.c:430 #2 0x00007ffff794c7fc in osl::Pipe::accept (this=0x7fffe4402200) at /home/jbf/LibO/code/solver/350/unxlngx6.pro/inc/osl/pipe.hxx:141 #3 desktop::OfficeIPCThread::run (this=0x7fffe4402200) at /home/jbf/LibO/code/clone/libs-core/desktop/source/app/officeipcthread.cxx:654 #4 0x00007ffff794e27a in threadFunc (param=0xa) at /home/jbf/LibO/code/solver/350/unxlngx6.pro/inc/osl/thread.hxx:188 #5 0x00007ffff7b8e1cc in osl_thread_start_Impl (pData=<value optimized out>) at thread.c:277 #6 0x00007ffff64729ca in start_thread (arg=<value optimized out>) at pthread_create.c:300 #7 0x00007ffff697370d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #8 0x0000000000000000 in ?? () Thread 2 (Thread 0x7fffedd2c700 (LWP 3852)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:211 #1 0x00007ffff7bb5686 in rtl_cache_wsupdate_wait (arg=<value optimized out>) at alloc_cache.c:1408 #2 rtl_cache_wsupdate_all (arg=<value optimized out>) at alloc_cache.c:1552 #3 0x00007ffff64729ca in start_thread (arg=<value optimized out>) at pthread_create.c:300 #4 0x00007ffff697370d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #5 0x0000000000000000 in ?? () Thread 1 (Thread 0x7ffff7fb9720 (LWP 3849)): #0 GalleryTheme::ImplReadSgaObject (this=<value optimized out>, pEntry=0x408) at /home/jbf/LibO/code/svx/source/gallery2/galtheme.cxx:181 ---Type <return> to continue, or q <return> to quit--- #1 0x00007fffdd92edea in GalleryIconView::UserDraw (this=0x7fffd70c6618, rUDEvt=...) at /home/jbf/LibO/code/svx/source/gallery2/galctrl.cxx:354 #2 0x00007ffff49f7b05 in ValueSet::ImplFormatItem (this=0x7fffd70c6618, pItem=0x7fffd72e13d8) at /home/jbf/LibO/code/svtools/source/control/valueset.cxx:305 #3 0x00007ffff49f8fea in ValueSet::Format (this=0x7fffd70c6618) at /home/jbf/LibO/code/svtools/source/control/valueset.cxx:619 #4 0x00007ffff49f98dd in ValueSet::ImplDraw (this=0x7fffd72ebe40) at /home/jbf/LibO/code/svtools/source/control/valueset.cxx:1035 #5 0x00007ffff49f9a77 in ValueSet::ImplScrollHdl (this=0x7fffd72ebe40, pScrollBar=0x0) at /home/jbf/LibO/code/svtools/source/control/valueset.cxx:1257 #6 0x00007ffff334894e in Link::Call (this=0x7fffd668f390, nEvent=1111, rHandler=..., pCaller=0x7fffd668f390) at /home/jbf/LibO/code/solver/350/unxlngx6.pro/inc/tools/link.hxx:140 #7 Control::ImplCallEventListenersAndHandler (this=0x7fffd668f390, nEvent=1111, rHandler=..., pCaller=0x7fffd668f390) at /home/jbf/LibO/code/vcl/source/control/ctrl.cxx:385 #8 0x00007ffff337ee73 in ScrollBar::ImplScroll (this=0x7fffd668f390, nNewPos=<value optimized out>, bCallEndScroll=1 '\001') at /home/jbf/LibO/code/vcl/source/control/scrbar.cxx:811 #9 0x00007ffff337eecc in ScrollBar::DoScroll (this=0x7fffd668f390, nNewPos=0) at /home/jbf/LibO/code/vcl/source/control/scrbar.cxx:1425 #10 0x00007ffff35ac1bf in Window::HandleScrollCommand (this=0x7fffd70c6618, rCmd=<value optimized out>, pHScrl=0x7fffd668f390, pVScrl=<value optimized out>) at /home/jbf/LibO/code/vcl/source/window/window2.cxx:1222 #11 0x00007ffff49f61bc in ValueSet::Command (this=0x7fffd70c6618, rCEvt=...) at /home/jbf/LibO/code/svtools/source/control/valueset.cxx:1624 #12 0x00007fffdd92ecce in GalleryIconView::Command (this=0x7fffd72ebe40, rCEvt=...) at /home/jbf/LibO/code/svx/source/gallery2/galctrl.cxx:426 ---Type <return> to continue, or q <return> to quit--- #13 0x00007ffff35cdb6d in ImplCallWheelCommand (pWindow=0x7fffd70c6618, rPos=<value optimized out>, pWheelData=<value optimized out>) at /home/jbf/LibO/code/vcl/source/window/winproc.cxx:1448 #14 0x00007ffff35cde88 in ImplHandleWheelEvent (pWindow=0x7fffdf6aea70, rEvt=<value optimized out>) at /home/jbf/LibO/code/vcl/source/window/winproc.cxx:1522 #15 0x00007ffff35d0a58 in ImplWindowFrameProc (pWindow=0x7fffd72ebe40, nEvent=<value optimized out>, pEvent=0x7fffffffd430) at /home/jbf/LibO/code/vcl/source/window/winproc.cxx:2484 #16 0x00007fffea62d705 in SalFrame::CallCallback (pEvent=0x7be810, frame=0x7fffdf5fb088) at /home/jbf/LibO/code/vcl/inc/salframe.hxx:294 #17 GtkSalFrame::signalScroll (pEvent=0x7be810, frame=0x7fffdf5fb088) at /home/jbf/LibO/code/vcl/unx/gtk/window/gtkframe.cxx:2805 #18 0x00007fffea0eb178 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #19 0x00007fffe8b3f5de in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #20 0x00007fffe8b53598 in ?? () from /usr/lib/libgobject-2.0.so.0 #21 0x00007fffe8b548b9 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #22 0x00007fffe8b55033 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #23 0x00007fffea2020bf in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #24 0x00007fffea0e3643 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0 #25 0x00007fffea0e471b in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0 #26 0x00007fffe9d5886c in ?? () from /usr/lib/libgdk-x11-2.0.so.0 #27 0x00007fffe82818c2 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #28 0x00007fffe8285748 in ?? () from /lib/libglib-2.0.so.0 #29 0x00007fffe82858fc in g_main_context_iteration () from /lib/libglib-2.0.so.0 #30 0x00007fffea61695d in GtkXLib::Yield (this=0x7ffff7f408c8, bWait=true, bHandleAllCurrentEvents=<value optimized out>) ---Type <return> to continue, or q <return> to quit--- at /home/jbf/LibO/code/vcl/unx/gtk/app/gtkdata.cxx:935 #31 0x00007ffff3326141 in ImplYield (i_bAllEvents=24) at /home/jbf/LibO/code/vcl/source/app/svapp.cxx:453 #32 Application::Yield (i_bAllEvents=24) at /home/jbf/LibO/code/vcl/source/app/svapp.cxx:487 #33 0x00007ffff3326217 in Application::Execute () at /home/jbf/LibO/code/vcl/source/app/svapp.cxx:430 #34 0x00007ffff792962b in desktop::Desktop::Main (this=0x7fffffffe110) at /home/jbf/LibO/code/clone/libs-core/desktop/source/app/app.cxx:1912 #35 0x00007ffff332aea9 in ImplSVMain () at /home/jbf/LibO/code/vcl/source/app/svmain.cxx:181 #36 0x00007ffff332af35 in SVMain () at /home/jbf/LibO/code/vcl/source/app/svmain.cxx:218 #37 0x00007ffff794ea95 in soffice_main () at /home/jbf/LibO/code/clone/libs-core/desktop/source/app/sofficemain.cxx:68 #38 0x0000000000400eeb in sal_main (argc=<value optimized out>, argv=<value optimized out>) at main.c:36 #39 main (argc=<value optimized out>, argv=<value optimized out>) at main.c:35 (gdb) continue Continuing. [Thread 0x7fffdaa48700 (LWP 3864) exited] [Thread 0x7fffe40d4700 (LWP 3857) exited] [Thread 0x7fffe38d3700 (LWP 3854) exited] [Thread 0x7fffedd2c700 (LWP 3852) exited] Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. Best regards. JBF
valgrind output: jbf@tux-laptop:~/LibO/code/solver/350/unxlngx6.pro/installation/opt/program$ valgrind ./soffice.bin -env:UserInstallation=${MY_CONF} ==3953== Memcheck, a memory error detector ==3953== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==3953== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==3953== Command: ./soffice.bin -env:UserInstallation=file:///home/jbf/.libreoffice/35/ ==3953== ==3953== Invalid write of size 8 ==3953== at 0xADBECD7: StgCache::Create(int) (stgcache.cxx:160) ==3953== by 0xADBEEA2: StgCache::Get(int, unsigned char) (stgcache.cxx:263) ==3953== by 0xADC65DF: StgDataStrm::GetPtr(int, unsigned char, unsigned char) (stgstrms.cxx:800) ==3953== by 0xADC1B29: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:813) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==3953== ==3953== ==3953== Process terminating with default action of signal 11 (SIGSEGV) ==3953== Access not within mapped region at address 0x8 ==3953== at 0xADBECD7: StgCache::Create(int) (stgcache.cxx:160) ==3953== by 0xADBEEA2: StgCache::Get(int, unsigned char) (stgcache.cxx:263) ==3953== by 0xADC65DF: StgDataStrm::GetPtr(int, unsigned char, unsigned char) (stgstrms.cxx:800) ==3953== by 0xADC1B29: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:813) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== by 0xADC1CAC: StgDirStrm::SetupEntry(int, StgDirEntry*) (stgdir.cxx:864) ==3953== If you believe this happened as a result of a stack ==3953== overflow in your program's main thread (unlikely but ==3953== possible), you can try to increase the size of the ==3953== main thread stack using the --main-stacksize= flag. ==3953== The main thread stack size used in this run was 8388608. ==3953== Thread 4: ==3953== Invalid free() / delete / delete[] ==3953== at 0x4C270BD: free (vg_replace_malloc.c:366) ==3953== by 0x612C6CA: ??? (in /lib/libc-2.11.1.so) ==3953== by 0x612C261: ??? (in /lib/libc-2.11.1.so) ==3953== by 0x4A226AB: _vgnU_freeres (vg_preloaded.c:62) ==3953== Address 0x4058b90 is not stack'd, malloc'd or (recently) free'd ==3953== ==3953== ==3953== HEAP SUMMARY: ==3953== in use at exit: 3,822,019 bytes in 20,471 blocks ==3953== total heap usage: 193,869 allocs, 173,401 frees, 43,094,141 bytes allocated ==3953== ==3953== LEAK SUMMARY: ==3953== definitely lost: 210,404 bytes in 803 blocks ==3953== indirectly lost: 18,048 bytes in 562 blocks ==3953== possibly lost: 1,937,857 bytes in 4,677 blocks ==3953== still reachable: 1,655,710 bytes in 14,429 blocks ==3953== suppressed: 0 bytes in 0 blocks ==3953== Rerun with --leak-check=full to see details of leaked memory ==3953== ==3953== For counts of detected and suppressed errors, rerun with: -v ==3953== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 28 from 12) Processus arrêté Best regards. JBF
[Reproducible] with "LibreOffice 3.4.1 - WIN7 Home Premium (64bit) German UI [OOO340m1 (Build:103)]". Still a problem with Master "LibO-dev 3.4.5 – WIN7 Home Premium (64bit) English UI [(Build ID:d337f79-a24c961-2865670-9752b71-7f8fd43 2fdd60d-fd28b6a-fd7bf20-aa369cb-28da3fb 6a9633a-931d089-ecd263f-c9b55e9-b31b807 82ff335-599f7e9-bc6a545-1926fdf)]" I did not see that problem during my tests in Master with default gallery backgrounds. Limited to own additions?
If we drag to the end, then at best it either doesn't go to the end, or something really horrible happens, LIST_APPEND vs vector::end position fixed with http://cgit.freedesktop.org/libreoffice/libs-core/commit/?id=fffa0708ea6e58e299012b40ce0901d4399a83b0 should be easier reproduced by selecting the second last entry in a gallery window, and attempt to drag it to the spot after the last entry, i.e. drag entry from position x - 1 to x + 1 where x is last entry
merged to libreoffice-3-4 - will be in 3.4.3
Since all new unconfirmed bugs start in state UNCONFIRMED now and old unconfirmed bugs were moved to NEEDINFO with a explanatory comment, all bugs promoted above those bug states to NEW and later are automatically confirmed making the CONFIRMED whiteboard status redundant. Thus it will be removed.