Created attachment 61909 [details] Crash-friendly document The enclosed document leads to a crash, either under OpenSuSE Linux or under Windows XP. The crash happens quite quickly as I navigate through the document. I also tried to convert to Word (.doc) format and nack to OpenDocument, no success.
Confirmed with: LOdev 3.5.3rc1+ Build ID: 51648779-22e3d74-d554af7 Windows 7 Professional SP1 64 bit Crashed after few secs of navigation.
This document doesn't crash OOo 3.4.
Additional note : I believe that the attached document was obtained after a word-LO-word-LO cycle.
Confirmed. Crash after 2-3 seconds With LibO 3.4.5 and with LOdev 3.6 (master - 18-May-2012 02h44 x86@6-fast; Build ID: 8b1d29b) under Windows Vista 64 and Windows XP. Works fine with LibO 3.3.4 => REGRESSION
Created attachment 61912 [details] Crash-friendly document without images The attached document was made with OOo 3.4, taking all images apart. Still crashes LO 3.4.5.
Created attachment 61917 [details] crash-friendly document saved with Word 2007 - it works I opened the document with Word 2007 (clicked away the complaint that the format is invalid as Word 2007 supports only ODT 1.1) and saved it. Now the document can be opened with LibO 3.4.5 and with LOdev 3.6 (master - 18-May-2012 02h44 x86@6-fast; Build ID: 8b1d29b) under Windows Vista 64. No crash.
Created attachment 62081 [details] console msgs + bt on master On pc Debian x86-64, with master updated today, I reproduced the crash with the doc without images. Just open and scroll through as indicated. I attached console logs and bt.
crashes in GraphiteLayout::expandOrCondense with STL assertion, just a couple lines above the while loop where i've band-aided a similar STL assertion with another bugdoc. committed a band-aid for this as well, at least doesn't crash any more and valgrind doesn't complain. would be nice if somebody had the time to investigate whether these various vectors are sized properly.
Michael Stahl committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=b8452a89ceaa9008558b83f3a8b6937d14b7c803 fdo#50169: band-aid another crash in GraphiteLayout::expandOrCondense:
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-3-5": http://cgit.freedesktop.org/libreoffice/core/commit/?id=6b7bea515ef8e762829b25b97fd84559186dd92c&g=libreoffice-3-5 fdo#50169: band-aid another crash in GraphiteLayout::expandOrCondense: It will be available in LibreOffice 3.5.5.
Created attachment 62307 [details] alternative patch to the problem I think it is better to skip the rest of the content of the loop in the error case. I.e. then it becomes a case of scanning for the start of the run rather than having potential spacing problems. This patch aims to do that but has not been tested against this bug.
hi Martin, your patch adds a check for an index into mvCharDxs that is too small, while the actual crash here is caused by an index that is too large. so while your patch doesn't fix any currently known problem, i guess it can't hurt to have it anyway.
Martin Hosken committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=981fd1612fb853287f0bb916b8600de3e587ed64 fdo#50169: add another index check
Michael Stahl committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=e18f53c624443bb2fbb9edba7b81b57487eb0e50 fdo#50169: skip the rest of the loop in case of wrong index