Created attachment 99648 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../include/c++/4.7/bits/stl_stack.h:160: error: attempt to access an element in an empty container. Objects involved in the operation: sequence "this" @ 0x0x61d0000cbda0 { type = St5stackIN5boost10shared_ptrIN12writerfilter7dmapper12FieldContextEEENSt7__debug5dequeIS5_SaIS5_EEEE; } Original OO file: core.ecu.edu%2Fpsyc%2Fwuenschk%2Fdocs221%30%2FResearch-3-Sampling.docx Mutated OO file (repro file): crash_writer-2.docx Modified XML file: word/header2.xml Modifications: - in tag "w:fldChar", attribute "w:fldCharType" was switched from "begin" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..." - in tag "w:rStyle", attribute "w:val" was switched from "PageNumber" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..."
Created attachment 99649 [details] Original file
Created attachment 99743 [details] bt with symbols On pc Debian x86-64 with master sources updated yesterday, I could reproduce this.
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a392a1deb0bb55f39f0232f9b3df8ad9ac9062af Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Is this fuzzed with a fuzzer of your own making, or something else?
The mutated file was generated with a fuzzer I wrote myself.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=6286b0dd97a330624d63d7be2b3efa43711984d0&h=libreoffice-4-2 Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand It will be available in LibreOffice 4.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3ebb09e0e7a0ca78e535d3c6721c2b87da37bd9d&h=libreoffice-4-3 Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand It will be available in LibreOffice 4.3.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.