[Bug 159844] New: double free in __

bugzilla-daemon Thu, 22 Feb 2024 06:13:08 -0800

https://bugs.documentfoundation.org/show_bug.cgi?id=159844


            Bug ID: 159844
           Summary: double free in __
           Product: LibreOffice
           Version: 24.2.0.3 release
          Hardware: All
                OS: OpenBSD
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: Calc
          Assignee: [email protected]
          Reporter: [email protected]

Description:
$ scalc --headless --convert-to xlsx:"Calc MS Excel 2007 XML" /tmp/.LQ4drKfGZ7
convert /tmp/.LQ4drKfGZ7 as a Calc document -> /tmp/.LQ4drKfGZ7.xlsx using
filter : Calc MS Excel 2007 XML
soffice.bin(77538) in free(): double free 0xe6cca755480


#1  0xfe9f6561c7f1a82f in ?? ()
No symbol table info available.
#2  0x00000e6cec1b1862 in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
        sa = {__sigaction_u = {__sa_handler = 0x3000000010, __sa_sigaction =
0x3000000010}, sa_mask = 1038392016, sa_flags = 28582}
        mask = 4294967263
#3  0x00000e6cec1d09be in wrterror (d=0xe6d2bf1c708, msg=0xe6cec11e41c "double
free %p") at /usr/src/lib/libc/stdlib/malloc.c:378
        ap = {{gp_offset = 24, fp_offset = 48, overflow_arg_area =
0x6fa63de49bd0, reg_save_area = 0x6fa63de49ad0}}
        saved_errno = 2
#4  0x00000e6cec1d5fa8 in find_chunknum (d=0x0, info=<optimized out>,
ptr=<optimized out>, check=-333786965) at
/usr/src/lib/libc/stdlib/malloc.c:1279
        chunknum = <optimized out>
#5  0x00000e6cec1d1d8e in ofree (argpool=0x6fa63de49c70, p=0xe6cca755480,
clear=<optimized out>, check=0, argsz=<optimized out>) at
/usr/src/lib/libc/stdlib/malloc.c:1677
        info = 0x6
        i = <optimized out>
        tmp = <optimized out>
        pool = 0xe6d2bf1c708
        saved_function = 0xf8d9860b3fbc21f0 <error: Cannot access memory at
address 0xf8d9860b3fbc21f0>
        r = 0x9504bb5b29626bf3
        sz = 48
#6  0x00000e6cec1d1a93 in _libc_free (ptr=0xe6cca755480) at
/usr/src/lib/libc/stdlib/malloc.c:1747
        saved_errno = 2
        d = 0xe6d2bf1c708
#7  0x00000e6ce873697b in operator delete (ptr=0x0) at
/usr/src/gnu/lib/libcxx/../../../gnu/llvm/libcxx/src/new.cpp:133
No locals.
#8  0x00000e6cec17e275 in _libc___cxa_finalize (dso=0x0) at
/usr/src/lib/libc/stdlib/atexit.c:177
        call_depth = 1
        pgsize = 4096
        p = 0xe6c8715e000
        n = 41
        fn = {fn_ptr = 0xe6ce86d0390 <std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >::~basic_string()>, 
          fn_arg = 0xe6ca3f800a8
<libetonyek::IWORKPropertyInfo<libetonyek::property::SFTTableNameStylePropertyParagraphStyle>::id>,
fn_dso = <synthetic pointer>}
        q = <optimized out>
#9  0x00000e6cec140925 in _libc_exit (status=0) at
/usr/src/lib/libc/stdlib/exit.c:54
No locals.


Actual Results:
Conversion works, just leaves a coredump and it is a double free somewhere :)

Expected Results:
No double free.


Reproducible: Always


User Profile Reset: No

Additional Info:
None.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 159844] New: double free in __

Reply via email to