Bug 86907 - [Rollit fuzzer]: Calc crashes with invalid memory read
Summary: [Rollit fuzzer]: Calc crashes with invalid memory read
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
4.3.3.2 release
Hardware: x86-64 (AMD64) Linux (All)
: highest normal
Assignee: Caolán McNamara
URL:
Whiteboard: BSA target:4.3.5
Keywords: regression
Depends on:
Blocks:
 
Reported: 2014-12-01 14:46 UTC by Pedro Ribeiro
Modified: 2015-04-25 15:40 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments
Fuzzed file causing the invalid read (57.50 KB, application/vnd.ms-excel)
2014-12-01 14:46 UTC, Pedro Ribeiro
Details
Fuzzed file causing the invalid read (57.50 KB, application/vnd.ms-excel)
2014-12-01 14:46 UTC, Pedro Ribeiro
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro Ribeiro 2014-12-01 14:46:01 UTC
Created attachment 110301 [details]
Fuzzed file causing the invalid read

The attached file causes Calc to crash after several invalid memory reads of size 8. [1] shows the stack trace when attached to valgrind, and [2] when attached to gdb.
Note that the fault is in an external library (MDDS) so LibreOffice might be innocent depending on how the library is being used. I'm using MDDS 0.11.1, which is the latest version.

To reproduce, open the file and click OK on the "This document contains macros" pop up. The application will terminate with
terminate called after throwing an instance of 'std::out_of_range'
  what():  multi_type_vector::get_block_position#673: block position not found! (logical pos=18446744073709551615, block size=0, logical size=176)

This bug was found with the Rollit fuzzer.

[1]
testdebian@debian:~/tmp$ valgrind --vgdb=yes --vgdb-error=0 /usr/lib/libreoffice/program/soffice.bin ../842168558/invalid-read-fuzzed.xls 
==3110== Memcheck, a memory error detector
==3110== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3110== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==3110== Command: /usr/lib/libreoffice/program/soffice.bin ../842168558/poss-safe-exception-fuzzed.xls
==3110== 
==3110== (action at startup) vgdb me ... 
==3110== 
==3110== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==3110==   /path/to/gdb /usr/lib/libreoffice/program/soffice.bin
==3110== and then give GDB the following command
==3110==   target remote | /usr/lib/valgrind/../../bin/vgdb --pid=3110
==3110== --pid is optional if only one valgrind process is running
==3110== 
==3110== Warning: invalid file descriptor -1 in syscall close()
==3110== Invalid read of size 8
==3110==    at 0x1F7744E8: __normal_iterator (stl_iterator.h:729)
==3110==    by 0x1F7744E8: end (stl_vector.h:566)
==3110==    by 0x1F7744E8: begin (multi_type_vector_def.inl:139)
==3110==    by 0x1F7744E8: ScColumn::InterpretDirtyCells(int, int) (column3.cxx:105)
==3110==    by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int) (table1.cxx:2244)
==3110==    by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&) [clone .part.95] (document.cxx:3650)
==3110==    by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110==    by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110==    by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool) (tabview3.cxx:1667)
==3110==    by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110==    by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*) (dispatch.cxx:746)
==3110==    by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*) (viewfrm.cxx:1143)
==3110==    by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*) (app.cxx:344)
==3110==    by 0x7C4F727: SfxViewFrame::MakeActive_Impl(bool) (viewfrm.cxx:1784)
==3110==    by 0x7C48414: SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) (sfxbasecontroller.cxx:1316)
==3110==  Address 0x1c6e7ff8 is 16 bytes after a block of size 104 alloc'd
==3110==    at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110==    by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*) (gcach_ftyp.cxx:354)
==3110==    by 0x9BA5EDC: FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const (gcach_ftyp.cxx:416)
==3110==    by 0x1640C18C: X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110==    by 0x99A8BF8: OutputDevice::ImplInitFontList() const (font.cxx:1423)
==3110==    by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110==    by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, int const*) const (text.cxx:1246)
==3110==    by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*, rtl::OUString*) (text.cxx:897)
==3110==    by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle const&) (splash.cxx:635)
==3110==    by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus() [clone .part.13] (splash.cxx:329)
==3110==    by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110==    by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int) (splash.cxx:236)
==3110==    by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110==    by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110== 
==3110== (action on error) vgdb me ... 
==3110== Continuing ...
==3110== Invalid read of size 8
==3110==    at 0x1F7744FF: __normal_iterator (stl_iterator.h:729)
==3110==    by 0x1F7744FF: begin (stl_vector.h:548)
==3110==    by 0x1F7744FF: begin (multi_type_vector_def.inl:139)
==3110==    by 0x1F7744FF: ScColumn::InterpretDirtyCells(int, int) (column3.cxx:105)
==3110==    by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int) (table1.cxx:2244)
==3110==    by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&) [clone .part.95] (document.cxx:3650)
==3110==    by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110==    by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110==    by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool) (tabview3.cxx:1667)
==3110==    by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110==    by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*) (dispatch.cxx:746)
==3110==    by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*) (viewfrm.cxx:1143)
==3110==    by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*) (app.cxx:344)
==3110==    by 0x7C4F727: SfxViewFrame::MakeActive_Impl(bool) (viewfrm.cxx:1784)
==3110==    by 0x7C48414: SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) (sfxbasecontroller.cxx:1316)
==3110==  Address 0x1c6e7ff0 is 8 bytes after a block of size 104 alloc'd
==3110==    at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110==    by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*) (gcach_ftyp.cxx:354)
==3110==    by 0x9BA5EDC: FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const (gcach_ftyp.cxx:416)
==3110==    by 0x1640C18C: X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110==    by 0x99A8BF8: OutputDevice::ImplInitFontList() const (font.cxx:1423)
==3110==    by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110==    by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, int const*) const (text.cxx:1246)
==3110==    by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*, rtl::OUString*) (text.cxx:897)
==3110==    by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle const&) (splash.cxx:635)
==3110==    by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus() [clone .part.13] (splash.cxx:329)
==3110==    by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110==    by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int) (splash.cxx:236)
==3110==    by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110==    by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110== 
==3110== (action on error) vgdb me ... 
==3110== Continuing ...
==3110== Invalid read of size 8
==3110==    at 0x1F71C734: mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::get_block_position(mdds::__mtv::const_iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::const_iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> >, mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> > > > const&, unsigned long, unsigned long&, unsigned long&) const (multi_type_vector_def.inl:649)
==3110==    by 0x1F74606B: mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::position(mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> > > const&, unsigned long) (multi_type_vector_def.inl:1324)
==3110==    by 0x1F774582: ProcessElements1<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell>, DirtyCellInterpreter, sc::FuncElseNoOp<long unsigned int> > (mtvfunctions.hxx:327)
==3110==    by 0x1F774582: ProcessFormula<DirtyCellInterpreter> (mtvcellfunc.hxx:32)
==3110==    by 0x1F774582: ScColumn::InterpretDirtyCells(int, int) (column3.cxx:105)
==3110==    by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int) (table1.cxx:2244)
==3110==    by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&) [clone .part.95] (document.cxx:3650)
==3110==    by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110==    by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110==    by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool) (tabview3.cxx:1667)
==3110==    by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110==    by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*) (dispatch.cxx:746)
==3110==    by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*) (viewfrm.cxx:1143)
==3110==    by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*) (app.cxx:344)
==3110==  Address 0x1c6e7ff8 is 16 bytes after a block of size 104 alloc'd
==3110==    at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110==    by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*) (gcach_ftyp.cxx:354)
==3110==    by 0x9BA5EDC: FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const (gcach_ftyp.cxx:416)
==3110==    by 0x1640C18C: X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110==    by 0x99A8BF8: OutputDevice::ImplInitFontList() const (font.cxx:1423)
==3110==    by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110==    by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, int const*) const (text.cxx:1246)
==3110==    by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*, rtl::OUString*) (text.cxx:897)
==3110==    by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle const&) (splash.cxx:635)
==3110==    by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus() [clone .part.13] (splash.cxx:329)
==3110==    by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110==    by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int) (splash.cxx:236)
==3110==    by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110==    by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110== 
==3110== (action on error) vgdb me ... 
==3110== Continuing ...
==3110== Invalid read of size 8
==3110==    at 0x1F71C758: mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::get_block_position(mdds::__mtv::const_iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::const_iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> >, mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> > > > const&, unsigned long, unsigned long&, unsigned long&) const (multi_type_vector_def.inl:665)
==3110==    by 0x1F74606B: mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::position(mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> > > const&, unsigned long) (multi_type_vector_def.inl:1324)
==3110==    by 0x1F774582: ProcessElements1<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell>, DirtyCellInterpreter, sc::FuncElseNoOp<long unsigned int> > (mtvfunctions.hxx:327)
==3110==    by 0x1F774582: ProcessFormula<DirtyCellInterpreter> (mtvcellfunc.hxx:32)
==3110==    by 0x1F774582: ScColumn::InterpretDirtyCells(int, int) (column3.cxx:105)
==3110==    by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int) (table1.cxx:2244)
==3110==    by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&) [clone .part.95] (document.cxx:3650)
==3110==    by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110==    by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110==    by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool) (tabview3.cxx:1667)
==3110==    by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110==    by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*) (dispatch.cxx:746)
==3110==    by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*) (viewfrm.cxx:1143)
==3110==    by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*) (app.cxx:344)
==3110==  Address 0x1c6e7ff0 is 8 bytes after a block of size 104 alloc'd
==3110==    at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110==    by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*) (gcach_ftyp.cxx:354)
==3110==    by 0x9BA5EDC: FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const (gcach_ftyp.cxx:416)
==3110==    by 0x1640C18C: X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110==    by 0x99A8BF8: OutputDevice::ImplInitFontList() const (font.cxx:1423)
==3110==    by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110==    by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, int const*) const (text.cxx:1246)
==3110==    by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*, rtl::OUString*) (text.cxx:897)
==3110==    by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle const&) (splash.cxx:635)
==3110==    by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus() [clone .part.13] (splash.cxx:329)
==3110==    by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110==    by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int) (splash.cxx:236)
==3110==    by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110==    by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110== 
==3110== (action on error) vgdb me ... 
==3110== Continuing ...
==3110== Invalid read of size 8
==3110==    at 0x1F71C798: mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::get_block_position(mdds::__mtv::const_iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::const_iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> >, mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> > > > const&, unsigned long, unsigned long&, unsigned long&) const (multi_type_vector_def.inl:673)
==3110==    by 0x1F74606B: mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::position(mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >::iterator_trait, mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned long, mdds::mtv::base_element_block> > > const&, unsigned long) (multi_type_vector_def.inl:1324)
==3110==    by 0x1F774582: ProcessElements1<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52, svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53, EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell> > >, mdds::mtv::noncopyable_managed_element_block<54, ScFormulaCell>, DirtyCellInterpreter, sc::FuncElseNoOp<long unsigned int> > (mtvfunctions.hxx:327)
==3110==    by 0x1F774582: ProcessFormula<DirtyCellInterpreter> (mtvcellfunc.hxx:32)
==3110==    by 0x1F774582: ScColumn::InterpretDirtyCells(int, int) (column3.cxx:105)
==3110==    by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int) (table1.cxx:2244)
==3110==    by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&) [clone .part.95] (document.cxx:3650)
==3110==    by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110==    by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110==    by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool) (tabview3.cxx:1667)
==3110==    by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110==    by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*) (dispatch.cxx:746)
==3110==    by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*) (viewfrm.cxx:1143)
==3110==    by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*) (app.cxx:344)
==3110==  Address 0x1c6e8008 is 24 bytes after a block of size 112 in arena "client"
==3110== 
==3110== (action on error) vgdb me ... 
==3110== Continuing ...
terminate called after throwing an instance of 'std::out_of_range'
  what():  multi_type_vector::get_block_position#673: block position not found! (logical pos=18446744073709551615, block size=1, logical size=1048576)
==3110== 
==3110== HEAP SUMMARY:
==3110==     in use at exit: 17,223,039 bytes in 265,343 blocks
==3110==   total heap usage: 1,090,893 allocs, 825,550 frees, 119,699,214 bytes allocated
==3110== 
==3110== LEAK SUMMARY:
==3110==    definitely lost: 14,352 bytes in 23 blocks
==3110==    indirectly lost: 26,877 bytes in 852 blocks
==3110==      possibly lost: 3,635,161 bytes in 64,863 blocks
==3110==    still reachable: 13,546,649 bytes in 199,605 blocks
==3110==         suppressed: 0 bytes in 0 blocks
==3110== Rerun with --leak-check=full to see details of leaked memory
==3110== 
==3110== For counts of detected and suppressed errors, rerun with: -v
==3110== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)


[2]
#0  iterator_common_base (block_index=0, start_pos=0, end=..., pos=..., this=0x7fffffffbde0) at /usr/include/mdds/multi_type_vector_itr.hpp:152
#1  iterator_base (block_index=0, start_pos=0, end=..., pos=..., this=0x7fffffffbde0) at /usr/include/mdds/multi_type_vector_itr.hpp:271
#2  begin (this=0x14afc30) at /usr/include/mdds/multi_type_vector_def.inl:139
#3  ScColumn::InterpretDirtyCells (this=0x14afbd0, nRow1=nRow1@entry=-1, nRow2=nRow2@entry=45)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/column3.cxx:105
#4  0x00007fffd34dff8f in ScTable::InterpretDirtyCells (this=0x14afc70, nCol1=<optimized out>, nRow1=-1, nCol2=-1, nRow2=45)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/table1.cxx:2244
#5  0x00007fffd340f351 in ScDocument::InterpretDirtyCells (this=0x1387980, rRanges=...)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/document.cxx:3650
#6  0x00007fffd3410c95 in ScDocument::InterpretDirtyCells (this=<optimized out>, rRanges=...)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/document.cxx:3635
#7  0x00007fffd3af94b7 in ScTabView::InterpretVisible (this=this@entry=0x15bcc08)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview4.cxx:491
#8  0x00007fffd3af677e in ScTabView::ZoomChanged (this=this@entry=0x15bcc08)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview3.cxx:2620
#9  0x00007fffd3af9df7 in ScTabView::RefreshZoom (this=this@entry=0x15bcc08)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview5.cxx:387
#10 0x00007fffd3af5cf9 in ScTabView::SetTabNo (this=this@entry=0x15bcc08, nTab=1, bNew=bNew@entry=true, bExtendSelection=<optimized out>, 
    bExtendSelection@entry=false, bSameTabButMoved=bSameTabButMoved@entry=false)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview3.cxx:1667
#11 0x00007fffd3b02afc in ScTabViewShell::Activate (this=0x15bcb40, bMDI=<optimized out>)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabvwsh4.cxx:177
#12 0x00007ffff510ac7b in SfxDispatcher::DoActivate_Impl (this=0x17c5be0, bMDI=true)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/control/dispatch.cxx:746
#13 0x00007ffff50de054 in SfxViewFrame::DoActivate (this=this@entry=0x1644df0, bUI=bUI@entry=true, pOldFrame=pOldFrame@entry=0x0)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/viewfrm.cxx:1143
#14 0x00007ffff4dbc997 in SfxApplication::SetViewFrame_Impl (this=0x10ca770, pFrame=pFrame@entry=0x1644df0)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/appl/app.cxx:344
#15 0x00007ffff50df5c5 in SfxViewFrame::SetViewFrame (pFrame=pFrame@entry=0x1644df0)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/viewfrm.cxx:3285
#16 0x00007ffff50df728 in SfxViewFrame::MakeActive_Impl (this=0x1644df0, bGrabFocus=<optimized out>)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/viewfrm.cxx:1784
#17 0x00007ffff50d8415 in SfxBaseController::ConnectSfxFrame_Impl (this=0x15c08a0, i_eConnect=(unknown: 4294951968))
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/sfxbasecontroller.cxx:1316
#18 0x00007ffff50da040 in SfxBaseController::attachFrame (this=0x15c08a0, xFrame=uno::Reference to ((anonymous namespace)::Frame *) 0x12a20e8)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/sfxbasecontroller.cxx:570
#19 0x00007ffff50c7e19 in impl_createDocumentView (this=<optimized out>, i_rViewName=..., i_rViewFactoryArgs=..., i_rFrame=..., i_rModel=...)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/frmload.cxx:608
#20 (anonymous namespace)::SfxFrameLoader_Impl::load (this=0x15c08c8, rArgs=uno::Sequence of length 32767 = {...}, 
    _rTargetFrame=<error reading variable: Cannot access memory at address 0x2d>)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/frmload.cxx:726
#21 0x00007fffe1c9a985 in framework::LoadEnv::impl_loadContent (this=0x121bdf0)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/loadenv/loadenv.cxx:1125
#22 0x00007fffe1c9b1ae in framework::LoadEnv::startLoading (this=this@entry=0x121bdf0)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/loadenv/loadenv.cxx:386
#23 0x00007fffe1c1aea8 in framework::LoadDispatcher::impl_dispatch (this=0x121bd90, rURL=..., lArguments=uno::Sequence of length 4 = {...}, 
    xListener=empty uno::Reference) at /build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/dispatch/loaddispatcher.cxx:115
#24 0x00007fffe1c1bcd8 in framework::LoadDispatcher::dispatchWithReturnValue (this=<optimized out>, rURL=..., lArguments=...)
    at /build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/dispatch/loaddispatcher.cxx:62
Comment 1 Pedro Ribeiro 2014-12-01 14:46:39 UTC
Created attachment 110302 [details]
Fuzzed file causing the invalid read
Comment 2 raal 2014-12-01 16:42:13 UTC
I can confirm crash with Version: 4.5.0.0.alpha0+
Build ID: 90fe751ab381cf59e87b79d921b3773567774af2
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time: 2014-11-27_06:13:34

No crash with LO 3.5, regression
Comment 3 Julien Nabet 2014-12-01 21:55:10 UTC
Just for the record, on pc Debian x86-64 with 4.3 sources updated less than 1 week ago, I could reproduce the crash.
However with master sources updated yesterday, I didn't reproduce it.
Comment 4 Caolán McNamara 2014-12-07 21:34:17 UTC
Looks like the one we fixed recently
Comment 5 Pedro Ribeiro 2014-12-07 23:10:07 UTC
Hi Caolán, 
This is part of a series of bugs I've found fuzzing. Most of them appear to have been fixed in later versions, and this should be different than the one I discussed with you directly (if what you are referring to). 

Anyway, it seems fixed now.