Created attachment 99650 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: Program received signal SIGSEGV, Segmentation fault. 0x00007fffbfe7e6b3 in EnhancedCustomShapeTypeNames::Get (eShapeType=<optimized out>) at /home/moggi/devel/libo7/svx/source/customshapes/EnhancedCustomShapeTypeNames.cxx:304 rax 0x800fc32eda90 140805187492496 rbx 0xf204f2f2f200f201 -1007413291367992831 rcx 0x7ffffffe0820 140737488226336 rdx 0xffffffff 4294967295 rsi 0x1001f865db52 17600648436562 rdi 0x7ffffffe0820 140737488226336 rbp 0x7ffffffe0870 0x7ffffffe0870 rsp 0x7ffffffe07a0 0x7ffffffe07a0 0x00007fffbfe7e6af <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+447>: shr $0x3,%rsi => 0x00007fffbfe7e6b3 <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+451>: cmpb $0x0,0x7fff8000(%rsi) 0x00007fffbfe7e6ba <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+458>: mov %rax,0x10(%rsp) Original OO file: WordArt_samples.docx Mutated OO file (repro file): crash-30909.docx Modified XML file: word/document.xml Modifications: - in tag "w:pStyle", attribute "w:val" was switched from "Heading1" to "Abc123" - in tag "v:shapetype", attribute "coordsize" was switched from "21600,21600" to "Abc123" in tag "v:shapetype", attribute "o:spt" was switched from "136" to "-1"
Created attachment 99651 [details] Original file
Created attachment 99724 [details] bt with symbols On pc Debian x86-64 with master sources updated yesterday, I could reproduce this.
Markus: trying to unwind this bug, I started from bt, more specifically this part: #4 0x00002aaacce8938f in SvxCustomShape::createCustomShapeDefaults (this=0x89e8a20, rValueType="-1") at /home/julien/compile-libreoffice/libreoffice/svx/source/unodraw/unoshap2.cxx:1979 #5 0x00002aaadc041352 in oox::vml::CustomShape::implConvertAndInsert (this=0x8a11c10, rxShapes=uno::Reference to (SwXDrawPage *) 0x89a9d20, rShapeRect=...) at /home/julien/compile-libreoffice/libreoffice/oox/source/vml/vmlshape.cxx:957 I tried to understand why rValueType was equal to -1 so started here: 957 xDefaulter->createCustomShapeDefaults( OUString::number( getShapeType() ) ); still in vmlshape.cxx 146 sal_Int32 ShapeType::getShapeType() const 147 { 148 return maTypeModel.moShapeType.get( 0 ); 149 } A search in Opengrok seems to indicate moShapeType is initialized in oox/source/vml/vmlshapecontext.cxx: 288 mrTypeModel.moShapeType = rAttribs.getInteger( O_TOKEN( spt ) ); see http://opengrok.libreoffice.org/xref/core/oox/source/vml/vmlshapecontext.cxx#288 The problem is there's no control of the spt value I tried this: - change type of moShapeType from OptValue< sal_Int32 > to OptValue< sal_uInt32 > (include/oox/vml/vmlshape.hxx) - use this: mrTypeModel.moShapeType = rAttribs.getUnsigned( O_TOKEN( spt ) ); instead of this: mrTypeModel.moShapeType = rAttribs.getInteger( O_TOKEN( spt ) ); The file can be opened without crash but -1 is converted to 152 Any idea?
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=65277f994ae25d930c15aebba0ed19f8de0abba1 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a2dda857b3d163a42c243566eaef9bc97e933779&h=libreoffice-4-2 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get It will be available in LibreOffice 4.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3c8eb2fe90622afce3ee935000f8f549b5d0efa7&h=libreoffice-4-3 Resolves: fdo#79131 crash in EnhancedCustomShapeTypeNames::Get It will be available in LibreOffice 4.3.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.