97699 – extraordinary memory corruption ...

Bug 97699 - extraordinary memory corruption ...

Summary: extraordinary memory corruption ...

Status:	RESOLVED DUPLICATE of bug 97700

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	graphics stack (show other bugs)
Version: (earliest affected)	5.1.0.1 rc
Hardware:	All All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-09 22:40 UTC by Michael Meeks
Modified:	2016-02-10 00:20 UTC (History)
CC List:	0 users

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Meeks 2016-02-09 22:40:36 UTC

Running the slide-show; interestingly we continue to paint the (no longer visible) main-window [ which seems particularly pointless ] - but anyhow - it triggers an interesting crash:

(gdb) bt
#0  0x00007ffff745b187 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff745c538 in __GI_abort () at abort.c:78
#2  0x00007ffff7454126 in __assert_fail_base (fmt=0x7ffff7589858 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7fffefe24608 "mnWidth == maTexture.GetWidth() && mnHeight == maTexture.GetHeight()", file=file@entry=0x7fffefe24400 "/data/opt/libreoffice/master/vcl/opengl/salbmp.cxx", line=line@entry=552, function=function@entry=0x7fffefe25560 <OpenGLSalBitmap::ReadTexture()::__PRETTY_FUNCTION__> "bool OpenGLSalBitmap::ReadTexture()") at assert.c:92
#3  0x00007ffff74541d2 in __GI___assert_fail (assertion=0x7fffefe24608 "mnWidth == maTexture.GetWidth() && mnHeight == maTexture.GetHeight()", file=0x7fffefe24400 "/data/opt/libreoffice/master/vcl/opengl/salbmp.cxx", line=552, function=0x7fffefe25560 <OpenGLSalBitmap::ReadTexture()::__PRETTY_FUNCTION__> "bool OpenGLSalBitmap::ReadTexture()") at assert.c:101
#4  0x00007fffef5b1b68 in OpenGLSalBitmap::ReadTexture() (this=0x3029bd0) at /data/opt/libreoffice/master/vcl/opengl/salbmp.cxx:551
#5  0x00007fffef5b2bac in OpenGLSalBitmap::AcquireBuffer(BitmapAccessMode) (this=0x3029bd0, nMode=BITMAP_READ_ACCESS) at /data/opt/libreoffice/master/vcl/opengl/salbmp.cxx:754
#6  0x00007fffef5b4ab3 in SalBitmap::updateChecksum() const (this=0x3029bd0) at /data/opt/libreoffice/master/vcl/inc/salbmp.hxx:103
#7  0x00007fffef5b2a61 in OpenGLSalBitmap::updateChecksum() const (this=0x3029bd0) at /data/opt/libreoffice/master/vcl/opengl/salbmp.cxx:730
#8  0x00007fffef9d2b63 in SalBitmap::GetChecksum(unsigned long&) const (this=0x3029bd0, rChecksum=@0x7fffffffbf98: 140737213028057) at /data/opt/libreoffice/master/vcl/inc/salbmp.hxx:79
#9  0x00007fffef9d2a57 in ImpBitmap::ImplGetChecksum() const (this=0x3020ee0) at /data/opt/libreoffice/master/vcl/source/gdi/impbmp.cxx:99
#10 0x00007fffef95d167 in Bitmap::GetChecksum() const (this=0x3033880) at /data/opt/libreoffice/master/vcl/source/gdi/bitmap.cxx:293
#11 0x00007fffef96761c in BitmapEx::GetChecksum() const (this=0x3033880) at /data/opt/libreoffice/master/vcl/source/gdi/bitmapex.cxx:311
#12 0x00007fffefb4ef9d in Image::Draw(OutputDevice*, Point const&, DrawImageFlags, Size const*) (this=0x2fd2ab0, pOutDev=0x2fa62c0, rPos=Point = {...}, nStyle=DrawImageFlags::Disable, pSize=0x0) at /data/opt/libreoffice/master/vcl/source/image/Image.cxx:241
#13 0x00007fffef8fd17e in OutputDevice::DrawImage(Point const&, Size const&, Image const&, DrawImageFlags) (this=0x2fa62c0, rPos=Point = {...}, rSize=Size = {...}, rImage=..., nStyle=DrawImageFlags::Disable) at /data/opt/libreoffice/master/vcl/source/outdev/bitmap.cxx:1325
#14 0x00007fffef8fd09c in OutputDevice::DrawImage(Point const&, Image const&, DrawImageFlags) (this=0x2fa62c0, rPos=Point = {...}, rImage=..., nStyle=DrawImageFlags::Disable) at /data/opt/libreoffice/master/vcl/source/outdev/bitmap.cxx:1309
#15 0x00007fffef7709f2 in ToolBox::ImplDrawItem(OutputDevice&, unsigned short, unsigned short, bool, bool) (this=0x2fa62c0, rRenderContext=..., nPos=44, nHighlight=0, bPaint=false, bLayout=false) at /data/opt/libreoffice/master/vcl/source/window/toolbox.cxx:3211

Comparing the salbmp data to the maTexture inside that bitmap:

(gdb) p maTexture
$1 = (OpenGLTexture) {_vptr.OpenGLTexture = 0x7ffff04e6750 <vtable for OpenGLTexture+16>, maRect = Rectangle = {left = 0, top = 0, right = 67, bottom = 53}, mpImpl = 0x2148190, mnSlotNumber = -1}
(gdb) p *this
$2 = (OpenGLSalBitmap) {<SalBitmap> = {_vptr.SalBitmap = 0x7ffff04e5fb0 <vtable for OpenGLSalBitmap+16>, mnChecksum = 0, mbChecksumValid = false}, maTexture = {_vptr.OpenGLTexture = 0x7ffff04e6750 <vtable for OpenGLTexture+16>, maRect = Rectangle = {left = 0, top = 0, right = 67, bottom = 53}, mpImpl = 0x2148190, mnSlotNumber = -1}, mbDirtyTexture = false, maPalette = {mpBitmapColor = 0x0, mnCount = 0}, mpUserBuffer = std::shared_ptr (count 1, weak 0) 0x3dc2f40 "", mnBits = 24, mnBytesPerRow = 96, mnWidth = 32, mnHeight = 25, mnBufWidth = 68, mnBufHeight = 54, maPendingOps = std::__debug::deque with 0 elements}
(gdb) p *maTexture->mpImpl
$3 = {mnRefCount = 1, mnTexture = 174, mnWidth = 68, mnHeight = 54, mnFilter = 9728, mnOptStencil = 0, mpSlotReferences = std::unique_ptr<std::__debug::vector<int, std::allocator<int> >> containing 0x0, mnFreeSlots = -1}

We get a mis-match in size which causes the readtexture to over-write its buffer and corrupt memory; nasty ...

Comment 1 Michael Meeks 2016-02-10 00:20:19 UTC


*** This bug has been marked as a duplicate of bug 97700 ***