Bug 48640 - LibreOffice 3.5.2.2 - crash or memory corruption with a specific .rtf file
Summary: LibreOffice 3.5.2.2 - crash or memory corruption with a specific .rtf file
Status: CLOSED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
3.5.2 release
Hardware: x86 (IA32) All
: medium normal
Assignee: Miklos Vajna
URL:
Whiteboard: target:3.6.0 target:3.5.3
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-13 03:44 UTC by Carlo Di Dato
Modified: 2012-04-14 10:10 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments
Crash PoC (91.53 KB, application/rtf)
2012-04-13 03:44 UTC, Carlo Di Dato
Details
DoS PoC (3.21 KB, application/rtf)
2012-04-13 03:44 UTC, Carlo Di Dato
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlo Di Dato 2012-04-13 03:44:06 UTC
Created attachment 59900 [details]
Crash PoC

Both on Windows and Linux it is possible to cause a Dos and\or a memory corruption using crafted doc files (see attachments).
On Fedora core 16 the program crash as follow:

terminate called after throwing an instance of 'std::bad_alloc'
  what(): std::bad_alloc

Program received signal SIGABRT, Aborted.
0X00111416 in __kernel_vsyscall ()

Regards
Comment 1 Carlo Di Dato 2012-04-13 03:44:43 UTC
Created attachment 59901 [details]
DoS PoC
Comment 2 Caolán McNamara 2012-04-14 04:47:10 UTC
confirmed, but these are rtf not msword files
Comment 3 Not Assigned 2012-04-14 04:50:19 UTC
Caolan McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=234f150f30d881b2691288c5f5581306bd4d3d18

Resolves: fdo#48640 handle various busted rtf docs without hanging
Comment 4 Caolán McNamara 2012-04-14 04:52:05 UTC
caolanm->vmiklos: can you look over my changes and see if you're happy with them, and cherry-pick for 3-5 if so, or fix it up some more if necessary
Comment 5 Not Assigned 2012-04-14 10:04:00 UTC
Caolan McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-3-5":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=51c8c95b2864b49e7bcbd824eacedb5778a758c0&g=libreoffice-3-5

Resolves: fdo#48640 handle various busted rtf docs without hanging


It will be available in LibreOffice 3.5.3.
Comment 6 Miklos Vajna 2012-04-14 10:10:19 UTC
Caolán,

Yes, looks reasonable, thanks for fixing this one.

Miklos