Bug 89496 - Crash: Unable to open rtf document
Summary: Crash: Unable to open rtf document
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.5.0.0.alpha0+ Master
Hardware: Other All
: high critical
Assignee: Vasily Melenchuk (CIB)
URL:
Whiteboard: target:4.5.0
Keywords: bibisected, bisected, haveBacktrace, regression
Depends on:
Blocks:
 
Reported: 2015-02-20 10:38 UTC by senya
Modified: 2015-12-17 08:46 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:

Attachments
the document that LO fails to open (1.39 MB, application/rtf)
2015-02-20 10:38 UTC, senya 		Details
console bt with master sources (40.72 KB, text/plain)
2015-02-21 01:01 UTC, Julien Nabet 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description senya 2015-02-20 10:38:07 UTC 
The attached RTF document created on windows platform with some windows tools (MS office or wordpad I'm not sure) doesn't open with Libreoffice on Ubuntu.

LO 4.2.7.2 from Ubuntu reps reports "Input/output error".
Nightly build from 17.02 (4.5.0.0) crashes on open attempt.

I've also checked abiword and wine wordpad. Abiword crashes, but Wine wordpad manages to show the document, though there is of course some formatting loses.
Comment 1 senya 2015-02-20 10:38:44 UTC 
Created attachment 113543 [details]
the document that LO fails to open
Comment 2 raal 2015-02-20 21:16:23 UTC 
I can open file with Version: 4.5.0.0.alpha0+
Build ID: 62969accf9c01b71b738424d4d643db8bfaed182
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time: 2015-02-08_23:22:32


crash with Version: 4.5.0.0.alpha0+
Build ID: 52b25c1adf3a70819aea2080b0ad50a14a3c104b
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time: 2015-02-17_03:10:47
Comment 3 Julien Nabet 2015-02-21 01:01:40 UTC 
Created attachment 113564 [details]
console bt with master sources

On pc Debian x86-64 with master sources updated today, I could reproduce this.

I attached console logs + bt
Comment 4 Julien Nabet 2015-02-21 01:22:43 UTC 
A gdb session showed that after having passed 28 times here:
/home/julien/compile-libreoffice/libreoffice/sw/source/core/unocore/unodraw.cxx:1148
the next one showed pObj was empty.
see http://opengrok.libreoffice.org/xref/core/sw/source/core/unocore/unodraw.cxx#1139

But even when adding a if (pObj) after SdrObject* pObj = pSvxShape->GetSdrObject();

I got another bt:
#0  0x00002aaace290b28 in SdrObject::GetRelativeHeight (this=0x0) at /home/julien/compile-libreoffice/libreoffice/svx/source/svdraw/svdobj.cxx:594
#1  0x00002aaac9e2d3ed in SwXShape::getPropertyValue (this=0x6052cb0, rPropertyName="RelativeHeight")
    at /home/julien/compile-libreoffice/libreoffice/sw/source/core/unocore/unodraw.cxx:1627
#2  0x00002aaad0b93c0f in writerfilter::TagLogger::unoPropertySet (this=0x29e0d70, rPropSet=uno::Reference to (SwXShape *) 0x6052ce8)
    at /home/julien/compile-libreoffice/libreoffice/writerfilter/source/dmapper/TagLogger.cxx:136
#3  0x00002aaad0ac5ce5 in writerfilter::dmapper::DomainMapper_Impl::PushShapeContext (this=0x2a11a40, xShape=uno::Reference to (SwXShape *) 0x6052d10)
    at /home/julien/compile-libreoffice/libreoffice/writerfilter/source/dmapper/DomainMapper_Impl.cxx:1877
#4  0x00002aaad0a7dd77 in writerfilter::dmapper::DomainMapper::lcl_startShape (this=0x2a11900, xShape=uno::Reference to (SwXShape *) 0x6052d10)
    at /home/julien/compile-libreoffice/libreoffice/writerfilter/source/dmapper/DomainMapper.cxx:2747
#5  0x00002aaad0b2d57a in writerfilter::LoggedStream::startShape (this=0x2a11958, xShape=uno::Reference to (SwXShape *) 0x6052d10)
    at /home/julien/compile-libreoffice/libreoffice/writerfilter/source/dmapper/LoggedResources.cxx:153

So the lack of pObj seems wrong.

Miklos: one for you?
Comment 5 Matthew Francis 2015-03-17 08:56:59 UTC 
This stopped working in the 4.5 dbgutil bibisect tree as of:

    2015-02-14: source-hash-1e475fef47fe6bd9dba6d830aaf0b6c12dc88881


Looks to me like the below is the only plausible commit in that range.
Adding Cc: to vasily.melenchuk@cib.de; Could you possibly take a look at this? Thanks

commit 2c411e4487f24968d6a62958fec85e4e3e1fda93
Author: Vasily Melenchuk <vasily.melenchuk@cib.de>
Date:   Mon Feb 2 09:43:51 2015 +0000

    tdf#49893 partial fix for blank rentangle problem in RTF
    
    * pib structure in rtf shape is processed always, if exists, not only
      for shape #75 (picture frame): it is possible for other shapes, at
      least for #1 (rectangle)
    
    * picture inside shape gets width and height from shape: this picture
      looks like pib object and should fit shape frame
    
    Conflicts:
        sw/qa/extras/rtfimport/rtfimport.cxx
    
    Reviewed on:
        https://gerrit.libreoffice.org/14396
    
    Change-Id: I5cf2e692940c4ddd8ab8b291ef65c0cc44c45f5d
Comment 6 Vasily Melenchuk (CIB) 2015-03-17 12:38:25 UTC 
I confirm that this crash is consequence of my fix to tdf#49893. I will debug this situation.
Comment 7 Commit Notification 2015-03-26 14:28:45 UTC 
Vasily Melenchuk committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=ed1605c1ea01c8b8d7809e3682d5c2104c16fa41

tdf#89496 fixed crash on rtf shape group parsing

It will be available in 4.5.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 8 Robinson Tryon (qubit) 2015-12-17 08:46:59 UTC 
Migrating Whiteboard tags to Keywords: (bibisected)
[NinjaEdit]