86449 – Crash importing malformed .rtf

Bug 86449 - Crash importing malformed .rtf

Summary: Crash importing malformed .rtf

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	filters and storage (show other bugs)
Version: (earliest affected)	3.5.4 release
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:	target:4.4.0 target:4.3.5
Keywords:

Duplicates (1):	86448 (view as bug list)
Depends on:
Blocks:

Reported:	2014-11-19 00:49 UTC by Alexander Cherepanov
Modified:	2019-10-02 05:57 UTC (History)
CC List:	3 users (show)

See Also:
Crash report or crash signature:

Attachments
Crasher (19.78 KB, application/rtf) 2014-11-19 00:50 UTC, Alexander Cherepanov	Details
Valgrind log (117.70 KB, text/x-log) 2014-11-19 00:50 UTC, Alexander Cherepanov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Cherepanov 2014-11-19 00:49:41 UTC

Crash while importing malformed .rtf file. According to valgrind (log attached) there are several invalid writes, including near malloc'd block. Seems to be potentially exploitable.
Tested on Debian Stable.

Comment 1 Alexander Cherepanov 2014-11-19 00:50:15 UTC

Created attachment 109705 [details]
Crasher

Comment 2 Alexander Cherepanov 2014-11-19 00:50:35 UTC

Created attachment 109706 [details]
Valgrind log

Comment 3 Jean-Baptiste Faure 2014-11-19 05:44:41 UTC

Did you really report this bug against version 3.5.4? This version is very old and not maintained anymore. If it is the case, did you check if the problem is present in current stable versions and in master? If the problem is not present in the current versions, I fear we should close this bug report as WontFix.

Set status to NEEDINFO. Please set it back to UNCONFIRMED once you have provided requested informations. Thank you for your understanding.

Best regards. JBF

Comment 4 Miklos Vajna 2014-11-19 08:41:36 UTC

No crash on master, FWIW.

Comment 5 Caolán McNamara 2014-11-19 12:26:19 UTC

http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3 commit bot seems busted, so adding this manually

Comment 6 Caolán McNamara 2014-11-19 12:36:24 UTC

*** Bug 86448 has been marked as a duplicate of this bug. ***

Comment 7 Caolán McNamara 2014-11-26 14:38:35 UTC

Bah, I meant http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=b4840d3632e4404bee4bd192a7db916cbad3a401

Comment 8 Shawn 2019-06-05 04:24:40 UTC Comment hidden (spam)

This might be the possible sol to the .rtf problem, but I'm not completely sure.
https://www.youtube.com/watch?v=Ty99PDGnyRI

Comment 9 Xisco Faulí 2019-06-05 10:27:42 UTC

Moving to UNCONFIRMED by a spammer. putting it back to RESOLVED FIXED

Comment 10 blane3503 2019-09-24 03:08:19 UTC Comment hidden (spam)

<h1>Hi</h1>

Comment 11 DwightBayles 2019-10-02 05:57:59 UTC Comment hidden (spam)

This means a conflict with the OS version. You can freeze the program until a new update is released. It should fix crashes.

https://essaytyper.pro/