Download it now!
Bug 70480 - FILEOPEN: SIGSEGV when supplying malformed input files to Writer
Summary: FILEOPEN: SIGSEGV when supplying malformed input files to Writer
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.1.2.3 release
Hardware: Other Linux (All)
: medium normal
Assignee: David Tardon
URL:
Whiteboard: BSA target:4.2.0 target:4.1.4
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-15 08:41 UTC by Alexandru Blanda
Modified: 2013-10-18 09:29 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments
files that can be used to reproduce the crash (1.83 MB, application/zip)
2013-10-15 08:41 UTC, Alexandru Blanda
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandru Blanda 2013-10-15 08:41:44 UTC
Created attachment 87651 [details]
files that can be used to reproduce the crash

Problem description: 

Program received signal SIGSEGV, Segmentation fault.
std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffffffb478, __str=
    <error reading variable: Cannot access memory at address 0x29>)
    at /usr/src/debug/gcc-4.7.2/obj-x86_64-tizen-linux/x86_64-tizen-linux/libstdc++-v3/include/bits/basic_string.tcc:175

A number of files that can be used to reproduce the crash can be found in the attached crash_files.zip archive. 
The files were generated by fuzzing valid files, in order to check for problems when libreoffice handles malformed input.
The bug was found while testing Libreoffice version 4.0.1.2, but it is persistent in version 4.1.2.3

Steps to reproduce:
1. Open libreoffice with gdb attached
2. Open the files from crash_files.zip

A gdb backtrace example of opening one of the files can be found here:
https://docs.google.com/file/d/0Bw_O6opVYHaaYVIwRlNOMkJfOUk/edit?usp=sharing

              
Operating System: Ubuntu
Version: 4.1.2.3 rc
Comment 1 Caolán McNamara 2013-10-16 15:52:58 UTC
caolanm->dtardon/fridrich

sf_4fb158660a71837695cd1e9d0e1d7ecb-117200.odt is a crash in libcdr
Comment 2 Caolán McNamara 2013-10-16 15:54:27 UTC
sf_bffbd306787fea717b1aa5a207854c99-298-minimized.odt is libvisio
Comment 3 David Tardon 2013-10-17 08:30:24 UTC
Clearly we should not dereference iterator unless we know it is valid...

This is actually just one crash, as the same zip-reading code has been reused at several places.
Comment 4 David Tardon 2013-10-17 09:50:49 UTC
Btw, the crash in libcdr has already been fixed by libcdr-0.0.14, which has been in libreoffice for quite some time.

@Alexandru: I applaud your effort trying to make libreoffice filters more reliable, but it would be much better if you worked with master branch.
Comment 5 Commit Notification 2013-10-18 09:08:31 UTC
David Tardon committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=f2422ab90d92104915b93e96f647a89bbf55ad30

fdo#70480 do not crash reading malformed zip



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2013-10-18 09:29:58 UTC
David Tardon committed a patch related to this issue.
It has been pushed to "libreoffice-4-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=f295f47b1549a39c0113f4ca3eb0d8bb14844cac&h=libreoffice-4-1

fdo#70480 do not crash reading malformed zip


It will be available in LibreOffice 4.1.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.