| Summary: | Crash in writerfilter::dmapper::DomainMapper_Impl::CloseFieldCommand() | ||
|---|---|---|---|
| Product: | LibreOffice | Reporter: | nicolas.gregoire |
| Component: | Libreoffice | Assignee: | Caolán McNamara <caolanm> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | medium | CC: | caolanm, markus.mohrhard, serval2412 |
| Version: | 4.3.0.0.beta1 | ||
| Hardware: | Other | ||
| OS: | All | ||
| See Also: | https://bugs.freedesktop.org/show_bug.cgi?id=86662 | ||
| Whiteboard: | Asan target:4.4.0 target:4.2.7 target:4.3.3 | ||
| i915 platform: | i915 features: | ||
| Attachments: |
Repro file
Original file bt with symbols |
||
Created attachment 99649 [details]
Original file
Created attachment 99743 [details]
bt with symbols
On pc Debian x86-64 with master sources updated yesterday, I could reproduce this.
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a392a1deb0bb55f39f0232f9b3df8ad9ac9062af Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Is this fuzzed with a fuzzer of your own making, or something else? The mutated file was generated with a fuzzer I wrote myself. Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=6286b0dd97a330624d63d7be2b3efa43711984d0&h=libreoffice-4-2 Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand It will be available in LibreOffice 4.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3ebb09e0e7a0ca78e535d3c6721c2b87da37bd9d&h=libreoffice-4-3 Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand It will be available in LibreOffice 4.3.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 99648 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../include/c++/4.7/bits/stl_stack.h:160: error: attempt to access an element in an empty container. Objects involved in the operation: sequence "this" @ 0x0x61d0000cbda0 { type = St5stackIN5boost10shared_ptrIN12writerfilter7dmapper12FieldContextEEENSt7__debug5dequeIS5_SaIS5_EEEE; } Original OO file: core.ecu.edu%2Fpsyc%2Fwuenschk%2Fdocs221%30%2FResearch-3-Sampling.docx Mutated OO file (repro file): crash_writer-2.docx Modified XML file: word/header2.xml Modifications: - in tag "w:fldChar", attribute "w:fldCharType" was switched from "begin" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..." - in tag "w:rStyle", attribute "w:val" was switched from "PageNumber" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..."