Created attachment 99662 [details] Repro file When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will crash: Program received signal SIGFPE, Arithmetic exception. 0x00007fffa9746e9b in SwDropCapCache::CalcFontSize (this=<optimized out>, pDrop=<optimized out>, rInf=...) at /home/moggi/devel/libo7/sw/source/core/text/txtdrop.cxx:717 rax 0xbd740 776000 rbx 0xf200f2f2f200f201 -1008539191274835455 rcx 0x7ffffffe2280 140737488233088 rdx 0x0 0 rsi 0x10007fff4308 17594333479688 rdi 0x7ffffffe1860 140737488230496 rbp 0x7ffffffe2670 0x7ffffffe2670 rsp 0x7ffffffe18c0 0x7ffffffe18c0 0x00007fffa9746e93 <SwDropCapCache::CalcFontSize(SwDropPortion*, SwTxtFormatInfo&)+6451>: mov 0x710(%rsp),%rcx => 0x00007fffa9746e9b <SwDropCapCache::CalcFontSize(SwDropPortion*, SwTxtFormatInfo&)+6459>: idivq (%rcx) 0x00007fffa9746e9e <SwDropCapCache::CalcFontSize(SwDropPortion*, SwTxtFormatInfo&)+6462>: mov 0x738(%rsp),%rdx Original OO file: www.asep.org%2Fasep%2Fasep%2FEvery_Day_Is_Another_Day.docx Mutated OO file (repro file): crash-30894.docx Modified XML file: word/styles.xml Modifications: - in tag "w:rFonts", attribute "w:eastAsiaTheme" was switched from "minorHAnsi" to "%s%n%s%n%s%n%s%n%s%n" - in tag "w:sz", attribute "w:val" was switched from "22" to "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP..." - in tag "w:lsdException", attribute "w:qFormat" was switched from "1" to "0"
Created attachment 99663 [details] Original file
Julien Nabet committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=06afd4067f7bc321d7dd0a4e8c235b0b21e3d49a Resolves: fdo#79139 Crash in SwDropCapCache::CalcFontSize The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
for 4.3: https://gerrit.libreoffice.org/#/c/9457/ for 4.2: https://gerrit.libreoffice.org/9458
Julien Nabet committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=9732b4a0045c1e72493f16d03f60a048d5fbfa9d&h=libreoffice-4-2 Resolves: fdo#79139 Crash in SwDropCapCache::CalcFontSize It will be available in LibreOffice 4.2.5. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Julien Nabet committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c172eb71bbd725d6ddca9255a288c47534bb9113&h=libreoffice-4-3 Resolves: fdo#79139 Crash in SwDropCapCache::CalcFontSize It will be available in LibreOffice 4.3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Thanks to Caolan review for 4.2 and 4.3, we can put this as FIXED now.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.