Created attachment 88762 [details] Crashing Test Case $ /usr/local/lib/libreoffice/program/soffice.bin --version LibreOffice 4.1.3.2 410m0(Build:2) $ valgrind /usr/local/lib/libreoffice/program/soffice.bin --calc --nologo --norestore --view Homer.xls ==6642== Memcheck, a memory error detector ==6642== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==6642== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==6642== Command: /usr/local/lib/libreoffice/program/soffice.bin --calc --nologo --norestore --view Homer.xls ==6642== ==6642== Conditional jump or move depends on uninitialised value(s) ==6642== at 0xC28B290: inflateReset2 (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0xC28B37F: inflateInit2_ (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0x1F32DD8A: ZipUtils::Inflater::Inflater(unsigned char) (Inflater.cxx:42) ==6642== by 0x1F3374FF: ZipFile::ZipFile(com::sun::star::uno::Reference<com::sun::star::io::XInputStream>&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, unsigned char) (ZipFile.cxx:70) ==6642== by 0x1F3432C3: OZipFileAccess::initialize(com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (zipfileaccess.cxx:225) ==6642== by 0x6A43695: cppu::OSingleFactoryHelper::createInstanceWithArgumentsAndContext(com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&) (factory.cxx:218) ==6642== by 0x6A438F8: cppu::OFactoryComponentHelper::createInstanceWithArgumentsAndContext(com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&) (factory.cxx:451) ==6642== by 0x6A77631: cppuhelper::ServiceManager::createInstanceWithArgumentsAndContext(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&) (servicemanager.cxx:820) ==6642== by 0x947B3BA: com::sun::star::packages::zip::ZipFileAccess::createWithURL(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&) (ZipFileAccess.hpp:34) ==6642== by 0x9478FB5: ImplImageTree::find(std::vector<rtl::OUString, std::allocator<rtl::OUString> > const&, BitmapEx&) (impimagetree.cxx:326) ==6642== by 0x947984D: ImplImageTree::doLoadImage(rtl::OUString const&, rtl::OUString const&, BitmapEx&, bool) (impimagetree.cxx:227) ==6642== by 0x9479B3C: ImplImageTree::loadImage(rtl::OUString const&, rtl::OUString const&, BitmapEx&, bool, bool) (impimagetree.cxx:176) ==6642== ==6642== Conditional jump or move depends on uninitialised value(s) ==6642== at 0xC28B290: inflateReset2 (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0xC28B37F: inflateInit2_ (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0x1F32DD8A: ZipUtils::Inflater::Inflater(unsigned char) (Inflater.cxx:42) ==6642== by 0x1F330BCC: XUnbufferedStream::XUnbufferedStream(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, SotMutexHolderRef, ZipEntry&, com::sun::star::uno::Reference<com::sun::star::io::XInputStream>, rtl::Reference<EncryptionData> const&, signed char, unsigned char, rtl::OUString const&, unsigned char) (XUnbufferedStream.cxx:67) ==6642== by 0x1F33296A: ZipFile::createUnbufferedStream(SotMutexHolderRef, ZipEntry&, rtl::Reference<EncryptionData> const&, signed char, unsigned char, rtl::OUString) (ZipFile.cxx:523) ==6642== by 0x1F3398A9: ZipFile::getDataStream(ZipEntry&, rtl::Reference<EncryptionData> const&, unsigned char, SotMutexHolderRef) (ZipFile.cxx:598) ==6642== by 0x1F342410: OZipFileAccess::getByName(rtl::OUString const&) (zipfileaccess.cxx:250) ==6642== by 0x9478B0B: ImplImageTree::find(std::vector<rtl::OUString, std::allocator<rtl::OUString> > const&, BitmapEx&) (impimagetree.cxx:341) ==6642== by 0x947984D: ImplImageTree::doLoadImage(rtl::OUString const&, rtl::OUString const&, BitmapEx&, bool) (impimagetree.cxx:227) ==6642== by 0x9479B3C: ImplImageTree::loadImage(rtl::OUString const&, rtl::OUString const&, BitmapEx&, bool, bool) (impimagetree.cxx:176) ==6642== by 0x943A2E2: BitmapEx::BitmapEx(ResId const&) (bitmapex.cxx:100) ==6642== by 0x14A7F50D: GtkSalFrame::SetIcon(unsigned short) (gtksalframe.cxx:1436) ==6642== ==6642== Conditional jump or move depends on uninitialised value(s) ==6642== at 0xC28B290: inflateReset2 (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0xC28B37F: inflateInit2_ (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0x8A16CAC: ZCodec::ImplInitBuf(unsigned char) (zcodec.cxx:394) ==6642== by 0x8A16FA2: ZCodec::ReadAsynchron(SvStream&, unsigned char*, unsigned long) (zcodec.cxx:259) ==6642== by 0x954EDD3: vcl::PNGReaderImpl::ImplReadIDAT() (pngread.cxx:876) ==6642== by 0x95506BC: vcl::PNGReaderImpl::GetBitmapEx(Size const&) (pngread.cxx:359) ==6642== by 0x955098B: vcl::PNGReader::Read(Size const&) (pngread.cxx:1479) ==6642== by 0x9477916: (anonymous namespace)::loadImageFromStream(boost::shared_ptr<SvStream>, rtl::OUString const&, BitmapEx&) (impimagetree.cxx:123) ==6642== by 0x9478E42: ImplImageTree::find(std::vector<rtl::OUString, std::allocator<rtl::OUString> > const&, BitmapEx&) (impimagetree.cxx:343) ==6642== by 0x947984D: ImplImageTree::doLoadImage(rtl::OUString const&, rtl::OUString const&, BitmapEx&, bool) (impimagetree.cxx:227) ==6642== by 0x9479B3C: ImplImageTree::loadImage(rtl::OUString const&, rtl::OUString const&, BitmapEx&, bool, bool) (impimagetree.cxx:176) ==6642== by 0x943A2E2: BitmapEx::BitmapEx(ResId const&) (bitmapex.cxx:100) ==6642== ==6642== Conditional jump or move depends on uninitialised value(s) ==6642== at 0xC28B290: inflateReset2 (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0xC28B37F: inflateInit2_ (in /usr/lib/libz.so.1.2.3.4) ==6642== by 0x8A16CAC: ZCodec::ImplInitBuf(unsigned char) (zcodec.cxx:394) ==6642== by 0x8A17291: ZCodec::Decompress(SvStream&, SvStream&) (zcodec.cxx:146) ==6642== by 0x2476E15A: SvxMSDffManager::GetBLIPDirect(SvStream&, Graphic&, Rectangle*) const (msdffimp.cxx:6253) ==6642== by 0x2476E78F: SvxMSDffManager::GetBLIP(unsigned long, Graphic&, Rectangle*) (msdffimp.cxx:6157) ==6642== by 0x24772459: SvxMSDffManager::ImportGraphic(SvStream&, SfxItemSet&, DffObjData const&) (msdffimp.cxx:3714) ==6642== by 0x24789485: SvxMSDffManager::ImportShape(DffRecordHeader const&, SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:4226) ==6642== by 0x2478BECE: SvxMSDffManager::ImportObj(SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:3953) ==6642== by 0x250F466C: XclImpDffConverter::ProcessShContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3685) ==6642== by 0x250F4786: XclImpDffConverter::ProcessShGrContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3654) ==6642== by 0x250F48F5: XclImpDffConverter::ProcessDgContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3627) ==6642== ==6642== Invalid write of size 8 ==6642== at 0x93EF263: Polygon EnhWMFReader::ReadPolygon<short>(unsigned int, unsigned int) (enhwmf.cxx:354) ==6642== by 0x93EF336: void EnhWMFReader::ReadAndDrawPolygon<short, boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > > >(boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > >, unsigned char) (enhwmf.cxx:332) ==6642== by 0x93EC8DC: EnhWMFReader::ReadEnhWMF() (enhwmf.cxx:1282) ==6642== by 0x93FE3AD: ConvertWMFToGDIMetaFile(SvStream&, GDIMetaFile&, FilterConfigItem*, WMF_EXTERNALHEADER*) (wmf.cxx:40) ==6642== by 0x93CAEF5: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>*, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1568) ==6642== by 0x93CB416: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1326) ==6642== by 0x2476DFA9: SvxMSDffManager::GetBLIPDirect(SvStream&, Graphic&, Rectangle*) const (msdffimp.cxx:6331) ==6642== by 0x2476E78F: SvxMSDffManager::GetBLIP(unsigned long, Graphic&, Rectangle*) (msdffimp.cxx:6157) ==6642== by 0x24772459: SvxMSDffManager::ImportGraphic(SvStream&, SfxItemSet&, DffObjData const&) (msdffimp.cxx:3714) ==6642== by 0x24789485: SvxMSDffManager::ImportShape(DffRecordHeader const&, SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:4226) ==6642== by 0x2478BECE: SvxMSDffManager::ImportObj(SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:3953) ==6642== by 0x250F466C: XclImpDffConverter::ProcessShContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3685) ==6642== Address 0x2868dae8 is 8 bytes after a block of size 208 alloc'd ==6642== at 0x4C264F0: operator new[](unsigned long) (vg_replace_malloc.c:363) ==6642== by 0x89E408F: ImplPolygon::ImplPolygon(unsigned short, unsigned char) (poly.cxx:64) ==6642== by 0x89E4FAA: Polygon::Polygon(unsigned short) (poly.cxx:312) ==6642== by 0x93EF1E5: Polygon EnhWMFReader::ReadPolygon<short>(unsigned int, unsigned int) (enhwmf.cxx:347) ==6642== by 0x93EF336: void EnhWMFReader::ReadAndDrawPolygon<short, boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > > >(boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > >, unsigned char) (enhwmf.cxx:332) ==6642== by 0x93EC8DC: EnhWMFReader::ReadEnhWMF() (enhwmf.cxx:1282) ==6642== by 0x93FE3AD: ConvertWMFToGDIMetaFile(SvStream&, GDIMetaFile&, FilterConfigItem*, WMF_EXTERNALHEADER*) (wmf.cxx:40) ==6642== by 0x93CAEF5: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>*, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1568) ==6642== by 0x93CB416: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1326) ==6642== by 0x2476DFA9: SvxMSDffManager::GetBLIPDirect(SvStream&, Graphic&, Rectangle*) const (msdffimp.cxx:6331) ==6642== by 0x2476E78F: SvxMSDffManager::GetBLIP(unsigned long, Graphic&, Rectangle*) (msdffimp.cxx:6157) ==6642== by 0x24772459: SvxMSDffManager::ImportGraphic(SvStream&, SfxItemSet&, DffObjData const&) (msdffimp.cxx:3714) ==6642== ==6642== Invalid write of size 8 ==6642== at 0x93EF267: Polygon EnhWMFReader::ReadPolygon<short>(unsigned int, unsigned int) (enhwmf.cxx:354) ==6642== by 0x93EF336: void EnhWMFReader::ReadAndDrawPolygon<short, boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > > >(boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > >, unsigned char) (enhwmf.cxx:332) ==6642== by 0x93EC8DC: EnhWMFReader::ReadEnhWMF() (enhwmf.cxx:1282) ==6642== by 0x93FE3AD: ConvertWMFToGDIMetaFile(SvStream&, GDIMetaFile&, FilterConfigItem*, WMF_EXTERNALHEADER*) (wmf.cxx:40) ==6642== by 0x93CAEF5: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>*, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1568) ==6642== by 0x93CB416: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1326) ==6642== by 0x2476DFA9: SvxMSDffManager::GetBLIPDirect(SvStream&, Graphic&, Rectangle*) const (msdffimp.cxx:6331) ==6642== by 0x2476E78F: SvxMSDffManager::GetBLIP(unsigned long, Graphic&, Rectangle*) (msdffimp.cxx:6157) ==6642== by 0x24772459: SvxMSDffManager::ImportGraphic(SvStream&, SfxItemSet&, DffObjData const&) (msdffimp.cxx:3714) ==6642== by 0x24789485: SvxMSDffManager::ImportShape(DffRecordHeader const&, SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:4226) ==6642== by 0x2478BECE: SvxMSDffManager::ImportObj(SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:3953) ==6642== by 0x250F466C: XclImpDffConverter::ProcessShContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3685) ==6642== Address 0x2868dae0 is 0 bytes after a block of size 208 alloc'd ==6642== at 0x4C264F0: operator new[](unsigned long) (vg_replace_malloc.c:363) ==6642== by 0x89E408F: ImplPolygon::ImplPolygon(unsigned short, unsigned char) (poly.cxx:64) ==6642== by 0x89E4FAA: Polygon::Polygon(unsigned short) (poly.cxx:312) ==6642== by 0x93EF1E5: Polygon EnhWMFReader::ReadPolygon<short>(unsigned int, unsigned int) (enhwmf.cxx:347) ==6642== by 0x93EF336: void EnhWMFReader::ReadAndDrawPolygon<short, boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > > >(boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > >, unsigned char) (enhwmf.cxx:332) ==6642== by 0x93EC8DC: EnhWMFReader::ReadEnhWMF() (enhwmf.cxx:1282) ==6642== by 0x93FE3AD: ConvertWMFToGDIMetaFile(SvStream&, GDIMetaFile&, FilterConfigItem*, WMF_EXTERNALHEADER*) (wmf.cxx:40) ==6642== by 0x93CAEF5: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>*, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1568) ==6642== by 0x93CB416: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1326) ==6642== by 0x2476DFA9: SvxMSDffManager::GetBLIPDirect(SvStream&, Graphic&, Rectangle*) const (msdffimp.cxx:6331) ==6642== by 0x2476E78F: SvxMSDffManager::GetBLIP(unsigned long, Graphic&, Rectangle*) (msdffimp.cxx:6157) ==6642== by 0x24772459: SvxMSDffManager::ImportGraphic(SvStream&, SfxItemSet&, DffObjData const&) (msdffimp.cxx:3714) ==6642== valgrind: m_mallocfree.c:294 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. valgrind: Heap block lo/hi size mismatch: lo = 2560, hi = 18446744073709519887. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. ==6642== at 0x38031ED7: report_and_quit (m_libcassert.c:235) ==6642== by 0x38032110: vgPlain_assert_fail (m_libcassert.c:309) ==6642== by 0x3803F26C: vgPlain_arena_malloc (m_mallocfree.c:294) ==6642== by 0x38003C64: vgMemCheck_new_block (mc_malloc_wrappers.c:263) ==6642== by 0x3800406D: vgMemCheck___builtin_new (mc_malloc_wrappers.c:311) ==6642== by 0x3807A598: vgPlain_scheduler (scheduler.c:1665) ==6642== by 0x380A5FA9: run_a_thread_NORETURN (syswrap-linux.c:103) sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==6642== at 0x4C2695A: operator new(unsigned long) (vg_replace_malloc.c:298) ==6642== by 0x93F2BA1: WinMtfOutput::UpdateFillStyle() (winmtf.cxx:1023) ==6642== by 0x93F2DBE: WinMtfOutput::DrawPolygon(Polygon&, unsigned char) (winmtf.cxx:1304) ==6642== by 0x93EF354: void EnhWMFReader::ReadAndDrawPolygon<short, boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > > >(boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > >, unsigned char) (mem_fn_template.hpp:393) ==6642== by 0x93EC8DC: EnhWMFReader::ReadEnhWMF() (enhwmf.cxx:1282) ==6642== by 0x93FE3AD: ConvertWMFToGDIMetaFile(SvStream&, GDIMetaFile&, FilterConfigItem*, WMF_EXTERNALHEADER*) (wmf.cxx:40) ==6642== by 0x93CAEF5: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>*, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1568) ==6642== by 0x93CB416: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned int, WMF_EXTERNALHEADER*) (graphicfilter.cxx:1326) ==6642== by 0x2476DFA9: SvxMSDffManager::GetBLIPDirect(SvStream&, Graphic&, Rectangle*) const (msdffimp.cxx:6331) ==6642== by 0x2476E78F: SvxMSDffManager::GetBLIP(unsigned long, Graphic&, Rectangle*) (msdffimp.cxx:6157) ==6642== by 0x24772459: SvxMSDffManager::ImportGraphic(SvStream&, SfxItemSet&, DffObjData const&) (msdffimp.cxx:3714) ==6642== by 0x24789485: SvxMSDffManager::ImportShape(DffRecordHeader const&, SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:4226) ==6642== by 0x2478BECE: SvxMSDffManager::ImportObj(SvStream&, void*, Rectangle&, Rectangle const&, int, int*) (msdffimp.cxx:3953) ==6642== by 0x250F466C: XclImpDffConverter::ProcessShContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3685) ==6642== by 0x250F4786: XclImpDffConverter::ProcessShGrContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3654) ==6642== by 0x250F48F5: XclImpDffConverter::ProcessDgContainer(SvStream&, DffRecordHeader const&) (xiescher.cxx:3627) ==6642== by 0x250F49A5: XclImpDffConverter::ProcessDrawing(SvStream&) (xiescher.cxx:3281) ==6642== by 0x25100B9F: XclImpDrawing::ImplConvertObjects(XclImpDffConverter&, SdrModel&, SdrPage&) (xiescher.cxx:3901) ==6642== by 0x25100EDB: XclImpObjectManager::ConvertObjects() (xiescher.cxx:4184) ==6642== by 0x24FF6DE9: ImportExcel::PostDocLoad() (impop.cxx:1226) ==6642== by 0x24FE68D7: ImportExcel8::PostDocLoad() (excimp8.cxx:387) ==6642== by 0x25001688: ImportExcel8::Read() (read.cxx:1296) ==6642== by 0x24FD64F9: ScFormatFilterPluginImpl::ScImportExcel(SfxMedium&, ScDocument*, EXCIMPFORMAT) (excel.cxx:139) ==6642== by 0x2162F7AC: ScDocShell::ConvertFrom(SfxMedium&) (docsh.cxx:1119) ==6642== by 0x7695AFF: SfxObjectShell::DoLoad(SfxMedium*) (objstor.cxx:769) ==6642== by 0x76D5302: SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (sfxbasemodel.cxx:1890) ==6642== by 0x775D2C7: SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) (frmload.cxx:598) ==6642== by 0x1C8CF72A: framework::LoadEnv::impl_loadContent() (loadenv.cxx:1168) ==6642== by 0x1C8CFE4E: framework::LoadEnv::startLoading() (loadenv.cxx:397) ==6642== by 0x1C853B0F: framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) (loaddispatcher.cxx:119) ==6642== by 0x1C8540C7: framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (loaddispatcher.cxx:65) ==6642== by 0x653DA7A: comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (synchronousdispatch.cxx:69) ==6642== by 0x50C551A: desktop::DispatchWatcher::executeDispatchRequests(std::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) (dispatchwatcher.cxx:384) ==6642== by 0x50D0B6E: desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) (officeipcthread.cxx:1060) ==6642== by 0x50AA3EC: desktop::Desktop::OpenClients() (app.cxx:2510) ==6642== by 0x50AB3F1: desktop::Desktop::OpenClients_Impl(void*) (app.cxx:2018) ==6642== by 0x965B6C7: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (link.hxx:123) ==6642== by 0x9664206: SalGenericDisplay::DispatchInternalEvent() (salframe.hxx:243) ==6642== by 0x14A64336: GtkData::userEventFn(void*) (gtkdata.cxx:933) ==6642== by 0x14A643A8: call_userEventFn (gtkdata.cxx:943) ==6642== by 0xD20F6F1: g_main_context_dispatch (gmain.c:1960) ==6642== by 0xD213567: g_main_context_iterate (gmain.c:2591) ==6642== by 0xD21371B: g_main_context_iteration (gmain.c:2654) ==6642== by 0x14A649B4: GtkData::Yield(bool, bool) (gtkdata.cxx:572) ==6642== by 0x932AE30: Application::Yield(bool) (svapp.cxx:422) ==6642== by 0x932AF06: Application::Execute() (svapp.cxx:401) ==6642== by 0x50ACB6D: desktop::Desktop::Main() (app.cxx:1720) ==6642== by 0x9330C60: ImplSVMain() (svmain.cxx:162) ==6642== by 0x9330C81: SVMain() (svmain.cxx:198) ==6642== by 0x50D2E44: soffice_main (sofficemain.cxx:82) ==6642== by 0x40075A: main (main.c:48) Thread 2: status = VgTs_WaitSys ==6642== at 0x566A569: pthread_cond_timedwait@@GLIBC_2.3.2 (pthread_cond_timedwait.S:211) ==6642== by 0x4E4AE65: rtl_cache_wsupdate_all(void*) (alloc_cache.cxx:1376) ==6642== by 0x56658C9: start_thread (pthread_create.c:300) ==6642== by 0x53CCB6C: clone (clone.S:112) Thread 3: status = VgTs_WaitSys ==6642== at 0x53C1C13: poll (poll.c:87) ==6642== by 0x17071B89: x11::SelectionManager::dispatchEvent(int) (X11_selection.cxx:3721) ==6642== by 0x17071CE5: x11::SelectionManager::run(void*) (X11_selection.cxx:3755) ==6642== by 0x4E44E76: osl_thread_start_Impl (thread.c:251) ==6642== by 0x56658C9: start_thread (pthread_create.c:300) ==6642== by 0x53CCB6C: clone (clone.S:112) Thread 4: status = VgTs_WaitSys ==6642== at 0x53CD72D: ??? (syscall-template.S:82) ==6642== by 0x4E3EBF1: osl_acceptPipe (pipe.c:457) ==6642== by 0x50D11BE: desktop::OfficeIPCThread::execute() (pipe.hxx:132) ==6642== by 0x7141299: salhelper::Thread::run() (thread.cxx:40) ==6642== by 0x71415C9: threadFunc (thread.hxx:187) ==6642== by 0x4E44E76: osl_thread_start_Impl (thread.c:251) ==6642== by 0x56658C9: start_thread (pthread_create.c:300) ==6642== by 0x53CCB6C: clone (clone.S:112) Thread 5: status = VgTs_WaitSys ==6642== at 0x566A569: pthread_cond_timedwait@@GLIBC_2.3.2 (pthread_cond_timedwait.S:211) ==6642== by 0x4E64615: osl_waitCondition (conditn.cxx:257) ==6642== by 0x1C875EB3: framework::WakeUpThread::run() (conditn.hxx:75) ==6642== by 0x1C8672A9: threadFunc (thread.hxx:187) ==6642== by 0x4E44E76: osl_thread_start_Impl (thread.c:251) ==6642== by 0x56658C9: start_thread (pthread_create.c:300) ==6642== by 0x53CCB6C: clone (clone.S:112) Note: see also the FAQ in the source distribution. It contains workarounds to several common problems. In particular, if Valgrind aborted or crashed after identifying problems in your program, there's a good chance that fixing those problems will prevent Valgrind aborting or crashing, especially if it happened in m_mallocfree.c. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what OS and version you are using. Thanks. $ gdb -q /usr/local/lib/libreoffice/program/soffice.bin Reading symbols from /usr/local/lib/libreoffice/program/soffice.bin...done. (gdb) set disassembly intel (gdb) r --calc --nologo --norestore --view Homer.xls Starting program: /usr/local/lib/libreoffice/program/soffice.bin --calc --nologo --norestore --view Homer.xls [Thread debugging using libthread_db enabled] [New Thread 0x7fffe9645700 (LWP 6790)] [New Thread 0x7fffe26e2700 (LWP 6791)] [New Thread 0x7fffe1ee1700 (LWP 6792)] [Thread 0x7fffe26e2700 (LWP 6791) exited] [New Thread 0x7fffe26e2700 (LWP 6795)] [New Thread 0x7fffd4f8b700 (LWP 6856)] [New Thread 0x7fffd478a700 (LWP 6857)] [Thread 0x7fffd478a700 (LWP 6857) exited] [Thread 0x7fffd4f8b700 (LWP 6856) exited] [New Thread 0x7fffd478a700 (LWP 6866)] Program received signal SIGSEGV, Segmentation fault. EnhWMFReader::ReadPolygon<short> (this=0x7fffffff5880, nStartIndex=<value optimized out>, nPoints=1073741837) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/wmf/enhwmf.cxx:354 354 aPolygon[ i ] = Point( nX, nY ); Current language: auto (gdb) r --calc --nologo --norestore --view Homer.xls Starting program: /usr/local/lib/libreoffice/program/soffice.bin --calc --nologo --norestore --view Homer.xls [Thread debugging using libthread_db enabled] [New Thread 0x7fffe9645700 (LWP 6790)] [New Thread 0x7fffe26e2700 (LWP 6791)] [New Thread 0x7fffe1ee1700 (LWP 6792)] [Thread 0x7fffe26e2700 (LWP 6791) exited] [New Thread 0x7fffe26e2700 (LWP 6795)] [New Thread 0x7fffd4f8b700 (LWP 6856)] [New Thread 0x7fffd478a700 (LWP 6857)] [Thread 0x7fffd478a700 (LWP 6857) exited] [Thread 0x7fffd4f8b700 (LWP 6856) exited] [New Thread 0x7fffd478a700 (LWP 6866)] Program received signal SIGSEGV, Segmentation fault. EnhWMFReader::ReadPolygon<short> (this=0x7fffffff5880, nStartIndex=<value optimized out>, nPoints=1073741837) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/wmf/enhwmf.cxx:354 354 aPolygon[ i ] = Point( nX, nY ); Current language: auto The current source language is "auto; currently c++". (gdb) x/4i $rip 0x7ffff33c0263 <_ZN12EnhWMFReader11ReadPolygonIsEE7Polygonjj+163>: mov QWORD PTR [rax+0x8],rcx 0x7ffff33c0267 <_ZN12EnhWMFReader11ReadPolygonIsEE7Polygonjj+167>: mov QWORD PTR [rax],rdx 0x7ffff33c026a <_ZN12EnhWMFReader11ReadPolygonIsEE7Polygonjj+170>: jbe 0x7ffff33c0276 <_ZN12EnhWMFReader11ReadPolygonIsEE7Polygonjj+182> 0x7ffff33c026c <_ZN12EnhWMFReader11ReadPolygonIsEE7Polygonjj+172>: mov rdi,QWORD PTR [rbx+0x8] (gdb) inf reg rax 0x8d7b 36219 rbx 0x7fffffff5880 140737488312448 rcx 0x640f 25615 rdx 0x790b 30987 rsi 0xf7 247 rdi 0x7fffffff5060 140737488310368 rbp 0x7fffffff5060 0x7fffffff5060 rsp 0x7fffffff5000 0x7fffffff5000 r8 0x420f840b320f8b0b 4760168514773289739 r9 0x640f790b530f7e0b 7210114617988578827 r10 0x870f730b750f760b -8714620260892838389 r11 0x7ffff762bcda 140737343831258 r12 0x4000000d 1073741837 r13 0xf8 248 r14 0xf8 248 r15 0x7fffffff501c 140737488310300 rip 0x7ffff33c0263 0x7ffff33c0263 <Polygon EnhWMFReader::ReadPolygon<short>(unsigned int, unsigned int)+163> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x7fff 32767 fioff 0xf3ffd19e -201338466 foseg 0x7fff 32767 fooff 0xffff7a58 -34216 fop 0x0 0 mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] (gdb) p/x nX $7 = 0x790b (gdb) p/x nY $8 = 0x640f (gdb) bt 10 #0 EnhWMFReader::ReadPolygon<short> (this=0x7fffffff5880, nStartIndex=<value optimized out>, nPoints=1073741837) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/wmf/enhwmf.cxx:354 #1 0x00007ffff33c0337 in EnhWMFReader::ReadAndDrawPolygon<short, boost::_bi::bind_t<void, boost::_mfi::mf3<void, WinMtfOutput, Polygon&, unsigned char, unsigned char>, boost::_bi::list4<boost::arg<1>, boost::arg<2>, boost::arg<3>, boost::arg<4> > > > (this=0x7fffffff5880, drawer=..., skipFirst=0 '\000') at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/wmf/enhwmf.cxx:332 #2 0x00007ffff33bd8dd in EnhWMFReader::ReadEnhWMF (this=0x7fffffff5880) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/wmf/enhwmf.cxx:1282 #3 0x00007ffff33cf3ae in ConvertWMFToGDIMetaFile (rStreamWMF=..., rGDIMetaFile=<value optimized out>, pConfigItem=0x0, pExtHeader=0x0) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/wmf/wmf.cxx:40 #4 0x00007ffff339bef6 in GraphicFilter::ImportGraphic (this=<value optimized out>, rGraphic=<value optimized out>, rPath=<value optimized out>, rIStream=<value optimized out>, nFormat=<value optimized out>, pDeterminedFormat=<value optimized out>, nImportFlags=0, pFilterData=0x0, pExtHeader=0x0) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/graphicfilter.cxx:1568 #5 0x00007ffff339c417 in GraphicFilter::ImportGraphic (this=0x7fffffff5060, rGraphic=..., rPath=..., rIStream=..., nFormat=<value optimized out>, pDeterminedFormat=0x640f790b530f7e0b, nImportFlags=0, pExtHeader=0x0) at /VMs/OOffice/Build/libreoffice-4.1.3.2/vcl/source/filter/graphicfilter.cxx:1326 #6 0x00007fffd6222faa in SvxMSDffManager::GetBLIPDirect (this=<value optimized out>, rBLIPStream=..., rData=<value optimized out>, pVisArea=<value optimized out>) at /VMs/OOffice/Build/libreoffice-4.1.3.2/filter/source/msfilter/msdffimp.cxx:6331 #7 0x00007fffd6223790 in SvxMSDffManager::GetBLIP (this=0x7fffffff7310, nIdx_=1, rData=..., pVisArea=<value optimized out>) at /VMs/OOffice/Build/libreoffice-4.1.3.2/filter/source/msfilter/msdffimp.cxx:6157 #8 0x00007fffd622745a in SvxMSDffManager::ImportGraphic (this=0x7fffffff7310, rSt=..., rSet=<value optimized out>, rObjData=...) at /VMs/OOffice/Build/libreoffice-4.1.3.2/filter/source/msfilter/msdffimp.cxx:3714 #9 0x00007fffd623e486 in SvxMSDffManager::ImportShape (this=0x7fffffff7310, rHd=<value optimized out>, rSt=..., pClientData=0x7fffffff7198, rClientRect=<value optimized out>, rGlobalChildRect=<value optimized out>, nCalledByGroup=0, pShapeId=0x0) at /VMs/OOffice/Build/libreoffice-4.1.3.2/filter/source/msfilter/msdffimp.cxx:4226 (More stack frames follow...) (gdb) li 337,358 337 /** 338 * Reads polygons from the stream. 339 * The <class T> parameter is for the type of the points 340 * nStartIndex: which is the starting index in the polygon of the first point read 341 * nPoints: number of points 342 * pWMF: the stream containings the polygons 343 * */ 344 template <class T> 345 Polygon EnhWMFReader::ReadPolygon(sal_uInt32 nStartIndex, sal_uInt32 nPoints) 346 { 347 Polygon aPolygon(nPoints); 348 for (sal_uInt16 i = nStartIndex ; i < nPoints && pWMF->good(); i++ ) 349 { 350 T nX, nY; 351 *pWMF >> nX >> nY; 352 if (!pWMF->good()) 353 break; 354 aPolygon[ i ] = Point( nX, nY ); 355 } 356 357 return aPolygon; 358 } (gdb) p/d i $9 = 248 (gdb) p/d nPoints $11 = 1073741837 (gdb) p *pWMF $12 = {_vptr.SvStream = 0x7ffff42612f0, pImp = 0x7ffff790ae98, xLockBytes = {pObj = 0x0}, nActPos = 0, pRWBuf = 0x11e73c0 "\n\n\020\265\n\372\017\274\n\352\017\306\n\332\017\320\n\314\017\334\n\277\017\350\n\262\017\365\n\247\017\003\v\234\017\022\v\223\017\"\v\213\017\062\v\204\017B\v~\017S\vy\017d\vv\017u\vs\017\207", pBufPos = 0x11e73f8 "\vv\017u\vs\017\207", nBufSize = 64, nBufActualLen = 64, nBufActualPos = 56, nBufFree = 8, eIOMode = 1, bIsDirty = 0, bIsConsistent = -1, bSwap = 0, bIsEof = 0, nError = 0, nNumberFormatInt = 65535, nCompressMode = 0, eLineDelimiter = LINEEND_LF, eStreamCharSet = 76, m_aCryptMaskKey = {pData = 0x7ffff7bc6ff4}, nCryptMask = 0 '\000', nVersion = 0, nBufFilePos = 22512, eStreamMode = 0, bIsWritable = 1 '\001'} (gdb) Please let me know if you guys are requesting a CVE.
On pc Debian x86-64 with master sources updated today, I reproduce the crash. Caolán: Valgrind/bt show vcl part, one for you?
Created attachment 89098 [details] extract the emf that causes the problem
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=cdd351b1487a8a97f481a9165d9cd361aaee2ca4 Resolves: fdo#71307 out polygons are limited to 16bit point count The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-1": http://cgit.freedesktop.org/libreoffice/core/commit/?id=071b6681564242d418d086e5991e1dbacc3b897c&h=libreoffice-4-1 Resolves: fdo#71307 out polygons are limited to 16bit point count It will be available in LibreOffice 4.1.4. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
@Caolán Have you requested a CVE?