[Libreoffice-bugs] [Bug 65823] New: Crash when selecting word in redlined text

Sun, 16 Jun 2013 05:58:32 -0700 

https://bugs.freedesktop.org/show_bug.cgi?id=65823

          Priority: medium
            Bug ID: 65823
          Assignee: [email protected]
           Summary: Crash when selecting word in redlined text
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: [email protected]
          Hardware: Other
            Status: UNCONFIRMED
           Version: 4.2.0.0.alpha0+ Master
         Component: Writer
           Product: LibreOffice

Created attachment 80908
  --> https://bugs.freedesktop.org/attachment.cgi?id=80908&action=edit
Document with some redline text that reproduces the crash when "bedankt" is
selected.

In the attached select_bedankt_crash.odt file try to select the text "bedankt"
(by double clicking on it). It is in the middle of some redlined text. This
triggers an assert when trying to count the words in the selection. With a
debugrun I see:

#0  0x000000327c4328a5 in raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x000000327c434085 in abort () at abort.c:92
#2  0x000000327c42ba1e in __assert_fail_base (fmt=<value optimized out>, 
    assertion=0x7fffdce9d1a8 "index >= 0 && index < pData->length", file=
    0x7fffdce9d160 "/home/mark/src/libreoffice/include/rtl/ustrbuf.hxx", 
    line=<value optimized out>, function=<value optimized out>) at assert.c:96
#3  0x000000327c42bae0 in __assert_fail (assertion=
    0x7fffdce9d1a8 "index >= 0 && index < pData->length", file=
    0x7fffdce9d160 "/home/mark/src/libreoffice/include/rtl/ustrbuf.hxx", line=
    382, function=
    0x7fffdce9de80 "sal_Unicode& rtl::OUStringBuffer::operator[](sal_Int32)")
    at assert.c:105
#4  0x00007fffdc14d279 in rtl::OUStringBuffer::operator[] (this=
    0x7fffffff5810, index=-21)
    at /home/mark/src/libreoffice/include/rtl/ustrbuf.hxx:382
#5  0x00007fffdc7be5b9 in SwScanner::SwScanner (this=0x7fffffff58c0, rNd=..., 
    rTxt=..., pLang=0x0, rConvMap=..., nType=3, nStart=-21, nEnde=-14, bClp=
    1 '\001')
    at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:674
#6  0x00007fffdc7c4c5c in SwTxtNode::CountWords (this=0x1af4af0, rStat=..., 
    nStt=7, nEnd=14)
    at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:1984
#7  0x00007fffdc21e251 in SwDoc::CountWords (this=0x169ba80, rPaM=
    SwPaM = {...}, rStat=...)
    at /home/mark/src/libreoffice/sw/source/core/doc/docedt.cxx:2753
#8  0x00007fffdc4430bc in SwEditShell::CountWords (this=0x1b2e1d0, rStat=...)
    at /home/mark/src/libreoffice/sw/source/core/edit/editsh.cxx:1069
#9  0x00007fffdcd441ce in SwView::StateStatusLine (this=0x19da870, rSet=...)
    at /home/mark/src/libreoffice/sw/source/ui/uiview/view2.cxx:1271
#10 0x00007fffdcd3bec3 in SfxStubSwViewStateStatusLine (pShell=0x19da870, rSet=
    ...)
    at
/home/mark/src/libreoffice/workdir/unxlngx6/SdiTarget/sw/sdi/swslots.hxx:12586
#11 0x00007ffff5f5ad6c in SfxShell::CallState (this=0x19da870, pFunc=
    0x7fffdcd3bea0 <SfxStubSwViewStateStatusLine(SfxShell*, SfxItemSet&)>, 
    rSet=...) at /home/mark/src/libreoffice/include/sfx2/shell.hxx:187
#12 0x00007ffff62f23da in SfxDispatcher::_FillState(SfxSlotServer const&,
SfxItemSet&, SfxSlot const*) ()
   from
/home/mark/src/libreoffice/solver/unxlngx6/installation/opt/program/libsfxlo.so

Note how SwScanner constructor is being passed negative values for nStart and
nEnde. These come from:

#6  0x00007fffdc7c4c5c in SwTxtNode::CountWords (this=0x1af4af0, rStat=..., 
    nStt=7, nEnd=14)
    at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:1984
1984                                    nExpandBegin, nExpandEnd, true );

Note that nExpandBegin and nExpandEnd are unsigned values (and SwScanner takes
signed values). They are very large:

(gdb) print nExpandBegin
$1 = 4294967275
(gdb) print nExpandEnd
$2 = 4294967282
(gdb) print (sal_Int32) nExpandBegin
$3 = -21
(gdb) print (sal_Int32) 4294967282
$4 = -14

These values come from a few lines up in txtedt.cxx:

1955        // ConversionMap to expand fields, remove invisible and redline
deleted text for scanner
1956        const ModelToViewHelper aConversionMap(*this, EXPANDFIELDS |
HIDEINVISIBLE | HIDEREDLINED);
1957        OUString aExpandText = aConversionMap.getViewText();
1958    
1959        // map start and end points onto the ConversionMap
1960        const sal_uInt32 nExpandBegin =
aConversionMap.ConvertToViewPosition( nStt );
1961        const sal_uInt32 nExpandEnd   =
aConversionMap.ConvertToViewPosition( nEnd );
1962

-- 
You are receiving this mail because:
You are the assignee for the bug.

_______________________________________________
Libreoffice-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

Reply via email to