Bug 86448 - Crashes importing malformed .rtf -- DoS
Summary: Crashes importing malformed .rtf -- DoS
Status: RESOLVED DUPLICATE of bug 86449
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: filters and storage (show other bugs)
Version:
(earliest affected)
3.5.4 release
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-19 00:41 UTC by Alexander Cherepanov
Modified: 2014-11-19 12:36 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Crasher (19.78 KB, application/rtf)
2014-11-19 00:42 UTC, Alexander Cherepanov 		Details
Valgrind log (19.46 KB, text/x-log)
2014-11-19 00:42 UTC, Alexander Cherepanov 		Details
Crasher (19.78 KB, application/rtf)
2014-11-19 00:42 UTC, Alexander Cherepanov 		Details
Valgrind log (18.22 KB, text/x-log)
2014-11-19 00:43 UTC, Alexander Cherepanov 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Cherepanov 2014-11-19 00:41:39 UTC 
A couple of crashes while importing malformed .rtf files. According to valgrind (logs attached) they are due to null pointer deref (but note "Use of uninitialised value" too). Seem to be DoS only.
Tested on Debian Stable.
Comment 1 Alexander Cherepanov 2014-11-19 00:42:06 UTC 
Created attachment 109701 [details]
Crasher
Comment 2 Alexander Cherepanov 2014-11-19 00:42:26 UTC 
Created attachment 109702 [details]
Valgrind log
Comment 3 Alexander Cherepanov 2014-11-19 00:42:45 UTC 
Created attachment 109703 [details]
Crasher
Comment 4 Alexander Cherepanov 2014-11-19 00:43:02 UTC 
Created attachment 109704 [details]
Valgrind log
Comment 5 Miklos Vajna 2014-11-19 08:39:38 UTC 
'OOO_EXIT_POST_STARTUP=1 ./soffice fdo86448.rtf' hangs here on master, but it does not crash.
Comment 6 Caolán McNamara 2014-11-19 12:36:24 UTC 
This crashes in 4-3 for me. The fix for bug 86449 also fixes it there, so setting it as a dup of that. I don't see a hang in master btw.

*** This bug has been marked as a duplicate of bug 86449 ***