Hi Dom,
I can reproduce the crash from 2393 (TIPython.doc).
In escher.c, wv wants to eat some obviously incorrect number of bytes.
First patch is to add safety checks to my memory_streams.
Note that now it will no longer crash, but take very very loooooong to load ( This
bug also show some other documents in bugzilla ("Abiword hangs loading word
dokument...").
Robert
Index: support.c
===================================================================
RCS file: /cvsroot/wv/support.c,v
retrieving revision 1.25
diff -u -r1.25 support.c
--- support.c 19 Feb 2002 10:04:51 -0000 1.25
+++ support.c 12 Mar 2002 18:46:18 -0000
@@ -111,6 +111,27 @@
streams = listEntry;
}
+static size_t memorystream_read(MemoryStream *stream, void *buf, size_t count)
+{
+ size_t ret;
+
+ if ( stream->current + count < stream->size)
+ {
+ memcpy(buf, stream->mem + stream->current, count);
+ stream->current += count;
+ ret = count;
+ }
+ else
+ {
+ ret = stream->size - stream->current;
+ memcpy(buf, stream->mem + stream->current, ret);
+ memset(buf + ret , 0, count - ret);
+ stream->current = stream->size;
+ wvTrace(("read out of bounds\n"));
+ }
+ return ret;
+}
+
U32
read_32ubit (wvStream * in)
{
@@ -134,9 +155,7 @@
}
else
{
- ret = *((U32 *) (in->stream.memory_stream->mem +
- in->stream.memory_stream->current));
- in->stream.memory_stream->current +=4;
+ memorystream_read(in->stream.memory_stream, &ret, 4);
}
#endif
return (ret);
@@ -165,9 +184,7 @@
}
else
{
- ret = *((U16 *) (in->stream.memory_stream->mem +
- in->stream.memory_stream->current));
- in->stream.memory_stream->current+=2;
+ memorystream_read(in->stream.memory_stream, &ret, 2);
}
@@ -192,9 +209,7 @@
else
{
U8 ret;
- ret = *((U8 *)(in->stream.memory_stream->mem +
- in->stream.memory_stream->current));
- in->stream.memory_stream->current++;
+ memorystream_read(in->stream.memory_stream, &ret, 1);
return ret;
}
}
@@ -213,9 +228,7 @@
}
else
{
- memcpy(ptr, in->stream.memory_stream->mem +
- in->stream.memory_stream->current,size * nmemb);
- in->stream.memory_stream->current+=size* nmemb;
+ return memorystream_read(in->stream.memory_stream, ptr, size * nmemb);
return size * nmemb;
}
}
Trace: (fopt.c:49) count 6c 72, pos 38
Trace: (fopt.c:78) pos is 38
Trace: (fopt.c:80) dtemp is 1ff
Trace: (fopt.c:91) orig 1ff,pid is 1ff 511, val is 80000
Trace: (fopt.c:63) returning 72
Trace: (escher.c:583) len is 6, type is f122, count 92,fullen a4
Trace: (escher.c:586) type is f122
Diagnostic: (escher.c:629) Eating type 0xf122
Trace: (escher.c:583) len is 0, type is 4, count a2,fullen a4
Trace: (escher.c:586) type is 4
Diagnostic: (escher.c:629) Eating type 0x4
Trace: (escher.c:583) len is 137af007, type is 32, count aa,fullen a4
Trace: (escher.c:586) type is 32
Program received signal SIGSEGV, Segmentation fault.
0x0819f699 in read_32ubit (in=0x8c4e868) at support.c:137
137 ret = *((U32 *) (in->stream.memory_stream->mem +
Current language: auto; currently c
(gdb) p in->stream.memory_stream
$1 = (MemoryStream *) 0x8c43d80
(gdb) p *in->stream.memory_stream
$2 = {mem = 0x8c2f830 "\017", current = 227278, size = 5166}
(gdb) bt
#0 0x0819f699 in read_32ubit (in=0x8c4e868) at support.c:137
#1 0x0819f44b in wvEatmsofbt (amsofbh=0xbfffd240, fd=0x8c4e868) at escher.c:691
#2 0x0819f2a7 in wvGetFSPContainer (item=0xbfffd290, msofbh=0xbfffd2d8, fd=0x8c4e868)
at escher.c:628
#3 0x0819ede4 in wv0x01 (blip=0xbfffd380, fd=0x8c4e868, len=5166) at escher.c:520
#4 0x08169d12 in IE_Imp_MsWord_97::_specCharProc (this=0x405a3008, ps=0xbfffe530,
eachchar=1, achp=0xbfffd960) at ie_imp_MsWord_97.cpp:1036
#5 0x0816db6c in specCharProc (ps=0xbfffe530, eachchar=1, achp=0xbfffd960) at
ie_imp_MsWord_97.cpp:2563
#6 0x081a7920 in wvOutputTextChar (eachchar=1, chartype=1 '\001', ps=0xbfffe530,
achp=0xbfffd960) at text.c:118
#7 0x081df980 in wvDecodeSimple (ps=0xbfffe530, whichdoc=Dmain) at decode_simple.c:460
#8 0x081ade41 in wvText (ps=0xbfffe530) at wvTextEngine.c:14
#9 0x08168d98 in IE_Imp_MsWord_97::importFile (this=0x405a3008, szFilename=0xbffffaf4
"TIPython.doc") at ie_imp_MsWord_97.cpp:617
#10 0x08249c95 in PD_Document::readFromFile (this=0x85b4db0, szFilename=0xbffffaf4
"TIPython.doc", ieft=0) at pd_Document.cpp:202
#11 0x080dabd9 in AP_UnixFrame::_loadDocument (this=0x852a760, szFilename=0xbffffaf4
"TIPython.doc", ieft=0, createNew=true)
at ap_UnixFrame.cpp:502
#12 0x080db0fc in AP_UnixFrame::loadDocument (this=0x852a760, szFilename=0xbffffaf4
"TIPython.doc", ieft=0, createNew=true)
at ap_UnixFrame.cpp:633
#13 0x080d921b in AP_UnixApp::parseCommandLine (this=0x84c9ad8) at ap_UnixApp.cpp:1537
#14 0x080d8933 in AP_UnixApp::main (szAppName=0x835743b "AbiWord", argc=2,
argv=0xbffff9b4) at ap_UnixApp.cpp:1337
#15 0x080d580e in main (argc=2, argv=0xbffff9b4) at UnixMain.cpp:32
#16 0x4038e306 in __libc_start_main (main=0x80d57b0 <main>, argc=2, ubp_av=0xbffff9b4,
init=0x80d315c <_init>, fini=0x83573f0 <_fini>,
rtld_fini=0x4000d2dc <_dl_fini>, stack_end=0xbffff9ac) at
../sysdeps/generic/libc-start.c:129
(gdb) q
The program is running. Exit anyway? (y or n) y
