Bug 40686 - Opening the attached file crashes LibreOffice - FILEOPEN
Summary: Opening the attached file crashes LibreOffice - FILEOPEN
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
(earliest affected)
3.4.3 release
Hardware: All All
: medium normal
Assignee: Caolán McNamara
Whiteboard: target:3.6.0 target:3.5.2
Depends on:
Reported: 2011-09-07 05:17 UTC by camillem
Modified: 2012-03-08 05:50 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:
Regression By:

Doc file that crashes Libo (12.00 KB, application/msword)
2011-09-07 05:17 UTC, camillem
Generated with Polaris Office, crashes LO 3.4.3 (12.00 KB, application/msword)
2011-09-18 04:53 UTC, Giovanni Panozzo
backtrace of crash in 3.6.0 master 1 feb 2012 (15.36 KB, text/x-log)
2012-02-02 05:55 UTC, sasha.libreoffice

Note You need to log in before you can comment on or make changes to this bug.
Description camillem 2011-09-07 05:17:21 UTC
Created attachment 50958 [details]
Doc file that crashes Libo

Steps to reproduce:
1)Open attached file.

Additionnal info : the crash happens on Windows XP and Linux (Ubuntu 64bits)
It also happens with OOo 3.2.1

This .doc file has been created with Polaris Office.
It opens correctly with Microsoft Word 2003.
Comment 1 Giovanni Panozzo 2011-09-18 04:52:32 UTC
This happens to me also: I tried to create two new .doc files with Polaris Office on my Asus EEE Pad Transformer. Both files crashes LibreOffice 3.4.3 on Windows 7 x64 and Windws 2008 x64.
Both files opens corretly on Word 2003.
I add "Test01.doc" to attachment as a second crash test file.
Comment 2 Giovanni Panozzo 2011-09-18 04:53:52 UTC
Created attachment 51310 [details]
Generated with Polaris Office, crashes LO 3.4.3
Comment 3 D. Hugh Redelmeier 2011-10-02 21:10:03 UTC
This happens for my (only) Polaris file when using LibreOffice on Fedora 15 x86-64.

When I try again, I get a recovery attempt that also crashes.
Comment 4 D. Hugh Redelmeier 2011-10-02 21:36:54 UTC
I loaded the debugging symbols and attached GDB.  Here's the crash info.  Looks to be a division by 0.

Program received signal SIGFPE, Arithmetic exception.
SwWW8ImplReader::SetDocumentGrid (this=<optimized out>, rFmt=..., rSection=...) at /usr/src/debug/libreoffice-
313         aGrid.SetLines(writer_cast<sal_uInt16>(nTextareaHeight/nLinePitch));
(gdb) p nLinePitch
$1 = 0

(gdb) where
#0  SwWW8ImplReader::SetDocumentGrid (this=<optimized out>, rFmt=..., rSection=...) at /usr/src/debug/libreoffice-
#1  0x00007f42bf8d8b01 in wwSectionManager::SetSegmentToPageDesc (this=0x7f42dc1aeb10, rSection=..., bTitlePage=<optimized out>, bIgnoreCols=false)
    at /usr/src/debug/libreoffice-
#2  0x00007f42bf8e25e7 in wwSectionManager::SetSwFmtPageDesc (this=0x7f42dc1aeb10, rIter=..., rStart=..., bIgnoreCols=false)
    at /usr/src/debug/libreoffice-
#3  0x00007f42bf8e2af3 in wwSectionManager::InsertSegments (this=0x7f42dc1aeb10) at /usr/src/debug/libreoffice-
#4  0x00007f42bf8e462e in SwWW8ImplReader::CoreLoad (this=0x7f42dc1aea08, pGloss=0x0, rPos=<optimized out>)
    at /usr/src/debug/libreoffice-
#5  0x00007f42bf8e5e70 in SwWW8ImplReader::LoadThroughDecryption (this=0x7f42dc1aea08, rPaM=..., pGloss=0x0)
    at /usr/src/debug/libreoffice-
#6  0x00007f42bf8e68fe in SwWW8ImplReader::LoadDoc (this=0x7f42dc1aea08, rPaM=..., pGloss=0x0) at /usr/src/debug/libreoffice-
#7  0x00007f42bf8e6a42 in WW8Reader::Read (this=<optimized out>, rDoc=..., rBaseURL=..., rPam=...) at /usr/src/debug/libreoffice-
#8  0x0000003103f1f6c7 in SwReader::Read (this=0x7f42cc674c08, rOptions=...) at /usr/src/debug/libreoffice-
#9  0x0000003103fef40d in SwDocShell::ConvertFrom (this=0x7f42cc6826c8, rMedium=<optimized out>) at /usr/src/debug/libreoffice-
#10 0x00000030fd3d1edc in SfxObjectShell::DoLoad (this=0x7f42cc6826c8, pMed=<optimized out>) at /usr/src/debug/libreoffice-
#11 0x00000030fd41e219 in SfxBaseModel::load (this=0x7f42cd500d38, seqArguments=<optimized out>) at /usr/src/debug/libreoffice-
#12 0x00000030fd484c03 in SfxFrameLoader_Impl::load (this=0x7f42cc692840, rArgs=<optimized out>, _rTargetFrame=...)
    at /usr/src/debug/libreoffice-
#13 0x00007f42dd578182 in framework::LoadEnv::impl_loadContent (this=0x7f42dc80f0e8) at /usr/src/debug/libreoffice-
#14 0x00007f42dd579848 in framework::LoadEnv::startLoading (this=0x7f42dc80f0e8) at /usr/src/debug/libreoffice-
#15 0x00007f42dd56fa9a in framework::LoadDispatcher::impl_dispatch (this=0x7f42dc80f050, rURL=..., lArguments=..., xListener=...)
    at /usr/src/debug/libreoffice-
#16 0x00007f42dd570018 in framework::LoadDispatcher::dispatchWithReturnValue (this=<optimized out>, rURL=<optimized out>, lArguments=<optimized out>)
    at /usr/src/debug/libreoffice-
#17 0x00000030f90e0d2e in comphelper::SynchronousDispatch::dispatch (xStartPoint=<optimized out>, sURL=<optimized out>, sTarget=..., nFlags=<optimized out>, lArguments=...)
    at /usr/src/debug/libreoffice-
#18 0x00000030ff43b267 in desktop::DispatchWatcher::executeDispatchRequests (this=0x7f42cfd79468, aDispatchRequestsList=std::vector of length 1, capacity 1 = {...}, bNoTerminate=
    false) at /usr/src/debug/libreoffice-
#19 0x00000030ff4495e4 in desktop::OfficeIPCThread::ExecuteCmdLineRequests (aRequest=...) at /usr/src/debug/libreoffice-
#20 0x00000030ff4293fe in desktop::Desktop::OpenClients () at /usr/src/debug/libreoffice-
#21 0x00000030ff42a73c in desktop::Desktop::OpenClients_Impl (this=0x7fff6abe5e00) at /usr/src/debug/libreoffice-
#22 0x00000030fa703368 in Call (pCaller=<optimized out>, this=<optimized out>) at /usr/src/debug/libreoffice-
#23 ImplHandleUserEvent (pSVEvent=0x7f42cfd8b470) at /usr/src/debug/libreoffice-
#24 ImplWindowFrameProc (pWindow=<optimized out>, nEvent=<optimized out>, pEvent=0x7f42cfd8b470) at /usr/src/debug/libreoffice-
#25 0x00000031030ac4ca in CallCallback (pEvent=0x7f42cfd8b470, nEvent=22, this=0x7f42df0a5a60) at ../../../inc/vcl/salframe.hxx:294
#26 SalDisplay::DispatchInternalEvent (this=0x7f42e1d2c008) at /usr/src/debug/libreoffice-
#27 0x0000003102c1c340 in GtkXLib::userEventFn (data=0x7f42e1d2b008) at /usr/src/debug/libreoffice-
#28 0x0000003f102427ed in g_main_dispatch (context=0x115bc20) at gmain.c:2441
#29 g_main_context_dispatch (context=0x115bc20) at gmain.c:3014
#30 0x0000003f10242fc8 in g_main_context_iterate (context=0x115bc20, block=<optimized out>, dispatch=1, self=<optimized out>) at gmain.c:3092
#31 0x0000003f1024325c in g_main_context_iteration (context=0x115bc20, may_block=0) at gmain.c:3155
#32 0x0000003102c19eb9 in GtkXLib::Yield (this=0x7f42e1d2b008, bWait=true, bHandleAllCurrentEvents=<optimized out>)
    at /usr/src/debug/libreoffice-
#33 0x00000030fa514911 in ImplYield (i_bAllEvents=<optimized out>, i_bWait=true) at /usr/src/debug/libreoffice-
#34 Application::Yield (i_bAllEvents=false) at /usr/src/debug/libreoffice-
#35 0x00000030fa5149c7 in Application::Execute () at /usr/src/debug/libreoffice-
#36 0x00000030ff421bfe in desktop::Desktop::Main (this=0x7fff6abe5e00) at /usr/src/debug/libreoffice-
#37 0x00000030fa51acd9 in ImplSVMain () at /usr/src/debug/libreoffice-
#38 0x00000030fa51add5 in SVMain () at /usr/src/debug/libreoffice-
#39 0x00000030ff44a718 in soffice_main () at /usr/src/debug/libreoffice-
#40 0x0000000000400efb in sal_main () at main.c:36
#41 main (argc=<optimized out>, argv=<optimized out>) at main.c:35

(gdb) p nTextareaHeight
$2 = 13958
(gdb) list
308             nFraction = (nFraction*20)/0xFFF;
309             nCharWidth += nFraction;
310         }
312         aGrid.SetBaseWidth( writer_cast<sal_uInt16>(nCharWidth));
313         aGrid.SetLines(writer_cast<sal_uInt16>(nTextareaHeight/nLinePitch));
314         aGrid.SetBaseHeight(writer_cast<sal_uInt16>(nLinePitch));
316         // ruby height is not supported in ww8
317         //sal_Int32 nRubyHeight = nLinePitch - nCharWidth;
Comment 5 Cori Rozentale 2011-10-11 14:20:22 UTC
I've also reproduced this on my system, running OS X 10.6.8 (Snow Leopard). I'm using the install of Polaris provided by Asus on my EeePad Transformer.

I'm attempting to edit a doc file in Libre or OOo that was previously edited in Polaris (but originally created in OOo). If I try to open the file, Libre crashes and OOo crash-cycles until force-closed.

I was able to open the file properly in Pages (Apple iWork). 

Information about builds:
- Doc file exported from an ODT created in OpenOffice.org 3.3.0 OOO330m20 (Build:9567)
- File edited and saved using Polaris Office 3.0 build 5r8008-FV06
- Crashes when opened using LibreOffice 3.4.3 OOO340m1 (Build:302)
- Crash-cycles when opened using OpenOffice.org 3.3.0 OOO330m20 (Build:9567)
Comment 6 Björn Michaelsen 2011-12-23 12:41:07 UTC
[This is an automated message.]
This bug was filed before the changes to Bugzilla on 2011-10-16. Thus it
started right out as NEW without ever being explicitly confirmed. The bug is
changed to state NEEDINFO for this reason. To move this bug from NEEDINFO back
to NEW please check if the bug still persists with the 3.5.0 beta1 or beta2 prereleases.
Details on how to test the 3.5.0 beta1 can be found at:

more detail on this bulk operation: http://nabble.documentfoundation.org/RFC-Operation-Spamzilla-tp3607474p3607474.html
Comment 7 sasha.libreoffice 2012-02-02 05:55:11 UTC
Created attachment 56516 [details]
backtrace of crash in 3.6.0 master 1 feb 2012
Comment 8 sasha.libreoffice 2012-02-02 05:57:26 UTC
reproduced crash in LibO 3.6.0 master and 3.3.4 on Fedora 64 bit
Comment 9 sasha.libreoffice 2012-02-02 05:59:29 UTC
@ Cedric or Michael
Please, look on this crash
Comment 10 Not Assigned 2012-03-08 05:02:28 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":


Resolves: fdo#40686 dyaLinePitch only valid between [1-31680]
Comment 11 camillem 2012-03-08 05:05:09 UTC
@Caolán McNamara: thanks!
Comment 12 Not Assigned 2012-03-08 05:50:56 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-3-5":


Resolves: fdo#40686 dyaLinePitch only valid between [1-31680]

It will be available in LibreOffice 3.5.2.