86451 – Crash importing malformed .rtf

Bug 86451 - Crash importing malformed .rtf

Summary: Crash importing malformed .rtf

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	filters and storage (show other bugs)
Version: (earliest affected)	3.5.4 release
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:	target:4.4.0 target:4.3.5
Keywords:

Depends on:
Blocks:

Reported:	2014-11-19 00:54 UTC by Alexander Cherepanov
Modified:	2014-11-19 17:05 UTC (History)
CC List:	2 users (show)

See Also:
Crash report or crash signature:

Attachments
Crasher (19.78 KB, application/rtf) 2014-11-19 00:55 UTC, Alexander Cherepanov	Details
Valgrind log (17.90 KB, text/x-log) 2014-11-19 00:55 UTC, Alexander Cherepanov	Details
Crasher (19.78 KB, application/rtf) 2014-11-19 00:55 UTC, Alexander Cherepanov	Details
Valgrind log (18.83 KB, text/x-log) 2014-11-19 00:56 UTC, Alexander Cherepanov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Cherepanov 2014-11-19 00:54:48 UTC

A couple of crashes while importing malformed .rtf files. According to valgrind (log attached) they are due to invalid reads at high addresses. DoS only?
Tested on Debian Stable.

Comment 1 Alexander Cherepanov 2014-11-19 00:55:12 UTC

Created attachment 109708 [details]
Crasher

Comment 2 Alexander Cherepanov 2014-11-19 00:55:29 UTC

Created attachment 109709 [details]
Valgrind log

Comment 3 Alexander Cherepanov 2014-11-19 00:55:44 UTC

Created attachment 109710 [details]
Crasher

Comment 4 Alexander Cherepanov 2014-11-19 00:56:00 UTC

Created attachment 109711 [details]
Valgrind log

Comment 5 Jean-Baptiste Faure 2014-11-19 05:45:16 UTC

Did you really report this bug against version 3.5.4? This version is very old and not maintained anymore. If it is the case, did you check if the problem is present in current stable versions and in master? If the problem is not present in the current versions, I fear we should close this bug report as WontFix.

Set status to NEEDINFO. Please set it back to UNCONFIRMED once you have provided requested informations. Thank you for your understanding.

Best regards. JBF

Comment 6 Miklos Vajna 2014-11-19 08:43:14 UTC

Yes, this is still an issue on master.

Comment 7 Commit Notification 2014-11-19 12:13:18 UTC

Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=185dae1969bb463ae1be8ea46a7780efa32372f5

Resolves: fdo#86451 guard all the tops post pop

It will be available in 4.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Comment 8 Caolán McNamara 2014-11-19 12:27:56 UTC

brute force fix resolves this

Comment 9 Caolán McNamara 2014-11-19 17:05:16 UTC

http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=566300ebd57e6ff07fdb014321e23a92c9bcf5ee