Created attachment 99650 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: Program received signal SIGSEGV, Segmentation fault. 0x00007fffbfe7e6b3 in EnhancedCustomShapeTypeNames::Get (eShapeType=<optimized out>) at /home/moggi/devel/libo7/svx/source/customshapes/EnhancedCustomShapeTypeNames.cxx:304 rax 0x800fc32eda90 140805187492496 rbx 0xf204f2f2f200f201 -1007413291367992831 rcx 0x7ffffffe0820 140737488226336 rdx 0xffffffff 4294967295 rsi 0x1001f865db52 17600648436562 rdi 0x7ffffffe0820 140737488226336 rbp 0x7ffffffe0870 0x7ffffffe0870 rsp 0x7ffffffe07a0 0x7ffffffe07a0 0x00007fffbfe7e6af <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+447>: shr $0x3,%rsi => 0x00007fffbfe7e6b3 <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+451>: cmpb $0x0,0x7fff8000(%rsi) 0x00007fffbfe7e6ba <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+458>: mov %rax,0x10(%rsp) Original OO file: WordArt_samples.docx Mutated OO file (repro file): crash-30909.docx Modified XML file: word/document.xml Modifications: - in tag "w:pStyle", attribute "w:val" was switched from "Heading1" to "Abc123" - in tag "v:shapetype", attribute "coordsize" was switched from "21600,21600" to "Abc123" in tag "v:shapetype", attribute "o:spt" was switched from "136" to "-1"
Created attachment 99651 [details] Original file
Created attachment 99724 [details] bt with symbols On pc Debian x86-64 with master sources updated yesterday, I could reproduce this.
Markus: trying to unwind this bug, I started from bt, more specifically this part: #4 0x00002aaacce8938f in SvxCustomShape::createCustomShapeDefaults (this=0x89e8a20, rValueType="-1") at /home/julien/compile-libreoffice/libreoffice/svx/source/unodraw/unoshap2.cxx:1979 #5 0x00002aaadc041352 in oox::vml::CustomShape::implConvertAndInsert (this=0x8a11c10, rxShapes=uno::Reference to (SwXDrawPage *) 0x89a9d20, rShapeRect=...) at /home/julien/compile-libreoffice/libreoffice/oox/source/vml/vmlshape.cxx:957 I tried to understand why rValueType was equal to -1 so started here: 957 xDefaulter->createCustomShapeDefaults( OUString::number( getShapeType() ) ); still in vmlshape.cxx 146 sal_Int32 ShapeType::getShapeType() const 147 { 148 return maTypeModel.moShapeType.get( 0 ); 149 } A search in Opengrok seems to indicate moShapeType is initialized in oox/source/vml/vmlshapecontext.cxx: 288 mrTypeModel.moShapeType = rAttribs.getInteger( O_TOKEN( spt ) ); see http://opengrok.libreoffice.org/xref/core/oox/source/vml/vmlshapecontext.cxx#288 The problem is there's no control of the spt value I tried this: - change type of moShapeType from OptValue< sal_Int32 > to OptValue< sal_uInt32 > (include/oox/vml/vmlshape.hxx) - use this: mrTypeModel.moShapeType = rAttribs.getUnsigned( O_TOKEN( spt ) ); instead of this: mrTypeModel.moShapeType = rAttribs.getInteger( O_TOKEN( spt ) ); The file can be opened without crash but -1 is converted to 152 Any idea?
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=65277f994ae25d930c15aebba0ed19f8de0abba1 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a2dda857b3d163a42c243566eaef9bc97e933779&h=libreoffice-4-2 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get It will be available in LibreOffice 4.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3c8eb2fe90622afce3ee935000f8f549b5d0efa7&h=libreoffice-4-3 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get It will be available in LibreOffice 4.3.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.