95298 – UI Crash on deleting part of animated gif

Bug 95298 - UI Crash on deleting part of animated gif

Summary: UI Crash on deleting part of animated gif

Status:	CLOSED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Impress (show other bugs)
Version: (earliest affected)	5.0.2.2 release
Hardware:	Other All

Importance:	medium major
Assignee:	Armin Le Grand

URL:
Whiteboard:	target:5.1.0 target:5.0.4
Keywords:	haveBacktrace

Depends on:
Blocks:

Reported:	2015-10-24 12:35 UTC by Katarina Behrens (Inactive)
Modified:	2016-10-25 19:20 UTC (History)
CC List:	3 users (show)

See Also:
Crash report or crash signature:

Attachments
console logs + bt with debug symbols (26.25 KB, text/plain) 2015-10-24 13:50 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Katarina Behrens (Inactive) 2015-10-24 12:35:59 UTC

How to reproduce:

1. Insert any animated gif image (menu Insert > Image)
2. Insert > Media > Animated Image => a dialog pops up
3. Select "Group Object" radiobutton
4. Click "Apply objects individually" icon button (2nd from left) => notice that the preview of the animated gif image appears in the dialog
5. Click "Delete current image" icon button (3rd from left) 

   => Kaboom! Impress crashes

Comment 1 Julien Nabet 2015-10-24 13:50:11 UTC

Created attachment 119928 [details]
console logs + bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce the crash.
I attached console logs + bt with debug symbols

Comment 2 Julien Nabet 2015-10-24 14:14:29 UTC

Reproduced on LO 5.0.2.2 Debian testing package.

Comment 3 Jacques Guilleron 2015-10-24 14:57:28 UTC

Also reproduced with

LO 5.1.0.0.alpha1+ Build ID: 186f32f63434e16ff5776251657f902d5808ed3d
TinderBox: Win-x86@39, Branch:master, Time: 2015-10-16_09:42:47
under Windows 7 Home

Comment 4 Armin Le Grand 2015-11-03 10:43:59 UTC

ALG: Taking a look...

Comment 5 Armin Le Grand 2015-11-03 11:30:11 UTC

Problem was that the var to express the current frame (m_nCurrentFrame) uses a state EMPTY_FRAMELIST which is (of course) max integer and that it was partially used as array/vector access index without testing. Needed to add these missing tests and also corrections when the frame deleted was the last frame. Checked that this works now when deleting first/last frame, all frames and others. Checked and secured more places in the source, too. Preparing commit.

Comment 6 Commit Notification 2015-11-04 11:30:52 UTC

Armin Le Grand committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=f0cef70cd4164342b218fbee34bf57eedc22c998

tdf#95298: corrected some out-of-bound accesses to array

It will be available in 5.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 7 Armin Le Grand 2015-11-04 12:21:18 UTC

integrated to master, done

Comment 8 Commit Notification 2015-11-05 11:46:24 UTC

Armin Le Grand committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=6b3b080f8cedc1b496022b18e477af0c7361fba3&h=libreoffice-5-0

tdf#95298: corrected some out-of-bound accesses to array

It will be available in 5.0.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.