Created attachment 99648 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../include/c++/4.7/bits/stl_stack.h:160: error: attempt to access an element in an empty container. Objects involved in the operation: sequence "this" @ 0x0x61d0000cbda0 { type = St5stackIN5boost10shared_ptrIN12writerfilter7dmapper12FieldContextEEENSt7__debug5dequeIS5_SaIS5_EEEE; } Original OO file: core.ecu.edu%2Fpsyc%2Fwuenschk%2Fdocs221%30%2FResearch-3-Sampling.docx Mutated OO file (repro file): crash_writer-2.docx Modified XML file: word/header2.xml Modifications: - in tag "w:fldChar", attribute "w:fldCharType" was switched from "begin" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..." - in tag "w:rStyle", attribute "w:val" was switched from "PageNumber" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..."
Created attachment 99649 [details] Original file
Created attachment 99743 [details] bt with symbols On pc Debian x86-64 with master sources updated yesterday, I could reproduce this.
Caolan McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a392a1deb0bb55f39f0232f9b3df8ad9ac9062af Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Is this fuzzed with a fuzzer of your own making, or something else?
The mutated file was generated with a fuzzer I wrote myself.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=6286b0dd97a330624d63d7be2b3efa43711984d0&h=libreoffice-4-2 Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand It will be available in LibreOffice 4.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolan McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3ebb09e0e7a0ca78e535d3c6721c2b87da37bd9d&h=libreoffice-4-3 Resolves: fdo#79130 Crash in DomainMapper_Impl::CloseFieldCommand It will be available in LibreOffice 4.3.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.