Bug Hunting Session
Bug 87977 - FILEOPEN: embedded DOCX object in DOCX causing crash when double-clicking on it
Summary: FILEOPEN: embedded DOCX object in DOCX causing crash when double-clicking on it
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.3.2.1 rc
Hardware: x86-64 (AMD64) All
: high major
Assignee: Not Assigned
URL:
Whiteboard: target:4.4.3 target:5.4.0 target:5.3....
Keywords: bibisected, bisected, haveBacktrace, regression
Depends on:
Blocks:
 
Reported: 2015-01-02 17:43 UTC by Buovjaga
Modified: 2016-12-20 05:16 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments
DOCX causing crash (confidential contents stripped) (70.35 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)
2015-01-02 17:43 UTC, Buovjaga
Details
gdbtrace (5.62 KB, application/gzip)
2015-01-02 18:05 UTC, raal
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Buovjaga 2015-01-02 17:43:34 UTC
Created attachment 111665 [details]
DOCX causing crash (confidential contents stripped)

Steps to reproduce:
1. Open attached document.
2. Double-click the lower object, labeled Object 1, which is displaying a plug symbol (in Linux) or a strange violet symbol (on Windows).
3. Observe crash.

In Windows, I get a Fatal Error dialog with 'Access violation - no RTTI data!'.
With version 4.5 on Linux, the document crashed on opening.

Document was confidential, but I managed to bisect its xml and file contents to the bare minimum while retaining the crashy behavior.

I have to say that the original document was "more crashy", it that one did not have to click the plug object. It was enough to simply wait for a bit.

The problem resides inside the embedded .docx, specifically in the footer and header .xmls.
I could not pinpoint the problem to a certain header or footer xml, but had to keep them all.

Originally noticed on 4.3.4. Now tested on:

Win 7 64-bit:

4.3.5.2

and

Version: 4.5.0.0.alpha0+
Build ID: 57626f2132f73e4e42b31e364b25c5867336e718
TinderBox: Win-x86@42, Branch:master, Time: 2014-12-26_09:26:33

Ubuntu 14.10 64-bit:

Version: 4.5.0.0.alpha0+
Build ID: f92183833fa569006602ac7e93c906d2094e0d4d
TinderBox: Linux-rpm_deb-x86_64@46-TDF-dbg, Branch:master, Time: 2014-12-14_00:21:45

and

Version: 4.3.3.2
Build ID: 430m0(Build:2)
Comment 1 raal 2015-01-02 18:04:51 UTC
I can confirm with Version: 4.5.0.0.alpha0+
Build ID: 7f476fea47f06a7f8cc961dd4f6595a524346fa5
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time: 2014-12-27_23:36:28

The document crashed on opening.
Comment 2 raal 2015-01-02 18:05:10 UTC
Created attachment 111667 [details]
gdbtrace
Comment 3 Robinson Tryon (qubit) 2015-01-02 18:10:39 UTC
(In reply to raal from comment #1)
> I can confirm with Version: 4.5.0.0.alpha0+
> Build ID: 7f476fea47f06a7f8cc961dd4f6595a524346fa5
> TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time:
> 2014-12-27_23:36:28
> 
> The document crashed on opening.

Status -> NEW
Comment 4 Matthew Francis 2015-03-31 08:59:02 UTC
This was introduced in:

    source-hash-41aa970b3120837ca9cadb12997a53ad322145a4
    
    commit 41aa970b3120837ca9cadb12997a53ad322145a4
    Author:     Miklos Vajna <vmiklos@collabora.co.uk>
    AuthorDate: Wed Aug 27 15:24:37 2014 +0200
    Commit:     Miklos Vajna <vmiklos@collabora.co.uk>
    CommitDate: Wed Aug 27 15:34:41 2014 +0200
    
        DOCX import: fix handling of embedded DOCX files


And fixed in 4.5 master in:

    commit 162c72d64077d9e0dae820d881ce2b56a5b2040c
    Author:     Caolán McNamara <caolanm@redhat.com>
    AuthorDate: Fri Jan 23 13:17:39 2015 +0000
    Commit:     Caolán McNamara <caolanm@redhat.com>
    CommitDate: Fri Jan 23 13:55:06 2015 +0000
    
        Related: fdo#78599 ensure RegisterFormat is called before SetModified
Comment 5 Caolán McNamara 2015-03-31 15:30:40 UTC
https://gerrit.libreoffice.org/15095
Comment 6 Commit Notification 2015-04-01 07:29:00 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-4-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=501be50b5de178d6ae1047e1ba4bf144e248eb81&h=libreoffice-4-4

Resolves: fdo#87977 ensure RegisterFormat is called before SetModified

It will be available in 4.4.3.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 7 Timur 2015-04-03 15:21:40 UTC
I change version to 4.3.2.1.
Thank you for writing about the possibility of backporting to 4.3.
Comment 8 Robinson Tryon (qubit) 2015-12-17 08:43:05 UTC Comment hidden (obsolete)
Comment 9 Commit Notification 2016-12-13 14:11:44 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c117ab838b49b355a3f3fa48632a43284c989ffa

Resolves: tdf#103938 replace fix for tdf#78599/tdf#87977

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 10 Commit Notification 2016-12-13 20:58:01 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=7bc3175ad1fddf71c2a0108541e538f82872579a&h=libreoffice-5-3

Resolves: tdf#103938 replace fix for tdf#78599/tdf#87977

It will be available in 5.3.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 11 Commit Notification 2016-12-20 05:16:25 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=a4d4fbeb623013f6377b30711ceedb38ea4b49f8&h=libreoffice-5-2

Resolves: tdf#103938 replace fix for tdf#78599/tdf#87977

It will be available in 5.2.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.