Bug 70726 - abort when printing a particular sheet
Summary: abort when printing a particular sheet
Status: RESOLVED DUPLICATE of bug 70725
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
4.2.0.0.alpha0+ Master
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-21 14:55 UTC by Lionel Elie Mamane
Modified: 2013-10-21 15:51 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lionel Elie Mamane 2013-10-21 14:55:54 UTC 
When printing a particular sheet, a dbgutil build of LibreOffice aborts because rtl::OUString::copy has been called with argument count bigger than length of the string.

I can send the document privately to any bona fide dev wanting to work on this bug.

However, my guess is that this comes from the String -> OUString conversion in

commit db3f16317e0b0f931fdfcb6f19f8cc474bd70683
Author: Noel Grandin <noel@peralex.com>
Date:   Wed Aug 7 14:03:59 2013 +0200

    convert String to OUString in VCL
    
    Change-Id: Ie5c6874298641dc6fc1b6b4e2206a704acd7cc10



(gdb) frame 6
#6  0x00007f42266ba660 in vcl::PDFWriterImpl::playMetafile (this=0x43d67d0, i_rMtf=..., i_pOutDevData=0x0, i_rContext=..., 
    pDummyVDev=0x43908d0) at /home/master/src/libreoffice/workdirs/libreoffice-4.2/vcl/source/gdi/pdfwriter_impl2.cxx:845
845	                    m_rOuterFace.DrawText( pA->GetPoint(), pA->GetText().copy( pA->GetIndex(), pA->GetLen() ) );

(gdb) print *pA
$9 = (MetaTextAction) {
  <MetaAction> = {
    _vptr.MetaAction = 0x7f4227040a10, 
    mnRefCount = 2, 
    mnType = 112
  }, 
  members of MetaTextAction: 
  maPt = Point = {
    x = 6897,
    y = 2046
  }, 
  maStr = "Prises", 
  mnIndex = 0, 
  mnLen = 65535
}
gdb) down
#5  0x00007f4226389f21 in rtl::OUString::copy (this=0x43805a8, beginIndex=beginIndex@entry=0, count=count@entry=65535)
    at /home/master/src/libreoffice/workdirs/libreoffice-4.2/include/rtl/ustring.hxx:1482
1482	        rtl_uString_newFromSubString( &pNew, pData, beginIndex, count );
(gdb) down
#4  0x00007f422c2502dd in rtl_uString_newFromSubString (ppThis=0x7fffaa6a4978, pFrom=0x357c620, beginIndex=0, count=65535)
    at /home/master/src/libreoffice/workdirs/libreoffice-4.2/sal/rtl/strtmpl.cxx:1269
1269	        assert(false); // fail fast at least in debug builds
(gdb) list
1264	        IMPL_RTL_STRINGNAME( assign )( ppThis, const_cast< IMPL_RTL_STRINGDATA * >( pFrom ) );
1265	        return;
1266	    }
1267	    if ( count < 0 || beginIndex < 0 || beginIndex + count > pFrom->length )
1268	    {
1269	        assert(false); // fail fast at least in debug builds
1270	        IMPL_RTL_STRINGNAME( newFromLiteral )( ppThis, "!!br0ken!!", 10, 0 );
1271	        return;
1272	    }
1273	

My guess is that length 65535 was a special magic value in the old code, to say "the whole string", or "undefined" or something like that. But here, it is suddenly being interpreted as an actual length.
Comment 1 Caolán McNamara 2013-10-21 15:51:52 UTC 

*** This bug has been marked as a duplicate of bug 70725 ***