Created attachment 99662 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: Program received signal SIGFPE, Arithmetic exception. 0x00007fffa9746e9b in SwDropCapCache::CalcFontSize (this=<optimized out>, pDrop=<optimized out>, rInf=...) at /home/moggi/devel/libo7/sw/source/core/text/txtdrop.cxx:717 rax 0xbd740 776000 rbx 0xf200f2f2f200f201 -1008539191274835455 rcx 0x7ffffffe2280 140737488233088 rdx 0x0 0 rsi 0x10007fff4308 17594333479688 rdi 0x7ffffffe1860 140737488230496 rbp 0x7ffffffe2670 0x7ffffffe2670 rsp 0x7ffffffe18c0 0x7ffffffe18c0 0x00007fffa9746e93 <SwDropCapCache::CalcFontSize(SwDropPortion*, SwTxtFormatInfo&)+6451>: mov 0x710(%rsp),%rcx => 0x00007fffa9746e9b <SwDropCapCache::CalcFontSize(SwDropPortion*, SwTxtFormatInfo&)+6459>: idivq (%rcx) 0x00007fffa9746e9e <SwDropCapCache::CalcFontSize(SwDropPortion*, SwTxtFormatInfo&)+6462>: mov 0x738(%rsp),%rdx Original OO file: www.asep.org%2Fasep%2Fasep%2FEvery_Day_Is_Another_Day.docx Mutated OO file (repro file): crash-30894.docx Modified XML file: word/styles.xml Modifications: - in tag "w:rFonts", attribute "w:eastAsiaTheme" was switched from "minorHAnsi" to "%s%n%s%n%s%n%s%n%s%n" - in tag "w:sz", attribute "w:val" was switched from "22" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..." - in tag "w:lsdException", attribute "w:qFormat" was switched from "1" to "0"
Created attachment 99663 [details] Original file
Julien Nabet committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=06afd4067f7bc321d7dd0a4e8c235b0b21e3d49a Resolves: fdo#79139 Crash in SwDropCapCache::CalcFontSize The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
for 4.3: https://gerrit.libreoffice.org/#/c/9457/ for 4.2: https://gerrit.libreoffice.org/9458
Julien Nabet committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=9732b4a0045c1e72493f16d03f60a048d5fbfa9d&h=libreoffice-4-2 Resolves: fdo#79139 Crash in SwDropCapCache::CalcFontSize It will be available in LibreOffice 4.2.5. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Julien Nabet committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c172eb71bbd725d6ddca9255a288c47534bb9113&h=libreoffice-4-3 Resolves: fdo#79139 Crash in SwDropCapCache::CalcFontSize It will be available in LibreOffice 4.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Thanks to Caolan review for 4.2 and 4.3, we can put this as FIXED now.