A couple of crashes while importing malformed .doc files. According to valgrind (logs attached) they are due to stack exhaustion. Seem to be DoS only. Tested on Debian Stable.
Created attachment 109695 [details] Crasher
Created attachment 109696 [details] Valgrind log
Created attachment 109697 [details] Crasher
Created attachment 109698 [details] Valgrind log
Did you really report this bug against version 3.5.4? This version is very old and not maintained anymore. If it is the case, did you check if the problem is present in current stable versions and in master? If the problem is not present in the current versions, I fear we should close this bug report as WontFix. Set status to NEEDINFO. Please set it back to UNCONFIRMED once you have provided requested informations. Thank you for your understanding. Best regards. JBF
Yes, I really mean version 3.5.4. It is shipped with Debian Stable and is used by a sizable number of people. I understand that this version is not supported upstream, so feel free to close the bug with any resolution you like. If the crash is present in the master I think it will be tracked by crashtest automatically.
No crash in our 4-3. According to the bt the crash is in your system libwps 0.2.X (which is now at the 0.3.0 release) Perhaps there was a problem in .0.2.X which is fixed now that your distribution should look into backporting)
(In reply to Caolán McNamara from comment #7) > No crash in our 4-3. According to the bt the crash is in your system libwps > 0.2.X (which is now at the 0.3.0 release) Ah, sorry, I didn't realize libwps is a separate project. I'll look for such cases in the future. Thanks for looking into it. > Perhaps there was a problem in > .0.2.X which is fixed now that your distribution should look into > backporting) Perhaps. Thanks for adding Debian Maintainer into CC.
The reason this no longer causes a crash in libwps 0.3.x is that the code that crashed is no longer there :-) The librevenge-based versions of our import libraries require that the application's impl. of RVNGInputStream interface supports OLE2 and Zip containers, if it is needed. That means that the various *OLEStream.cpp and *ZipStream.cpp impls. in libraries (which were all copied one from another) have been dropped. There is only one instance of each remainining in librevenge (used by librevenge-stream lib). librevenge-stream can handle your samples in 0.1.2, but not in 0.1.1, which means that the problem has already been fixed by one of my afl fixes. So it would be possible to find the exact commit and replicate the changes from src/lib/RVNGOLEStream.cpp into src/lib/WPSOLEStream.cpp in libwps 0.2. (Btw, in the case anyone attempts to do this, libmwaw 0.2 needs the same fix.)
Actually, this seems to be fixed in libwps 0.2.9 already.