[Bug 171480] New: MSan: use-of-uninitialized-value in ReadPptFontEntityAtom() when parsing crafted PPT file

Wed, 25 Mar 2026 00:58:33 -0700 

https://bugs.documentfoundation.org/show_bug.cgi?id=171480

            Bug ID: 171480
           Summary: MSan: use-of-uninitialized-value in
                    ReadPptFontEntityAtom() when parsing crafted PPT file
           Product: LibreOffice
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: filters and storage
          Assignee: [email protected]
          Reporter: [email protected]

Description:
When parsing a crafted PowerPoint (.ppt) file, the stack buffer 'cData' 
allocated in ReadPptFontEntityAtom() at svdfppt.cxx:388 is not fully 
initialized before being read at svdfppt.cxx:453.

MemorySanitizer reports use-of-uninitialized-value.

Found using MemorySanitizer via OSS-Fuzz infrastructure.
Reproduces 100% of the time with attached testcase.

Affected call chain:
#0 ReadPptFontEntityAtom()       svdfppt.cxx:453
#1 SdrPowerPointImport::ReadFontCollection()  svdfppt.cxx:2192
#2 SdrPowerPointImport::SdrPowerPointImport() svdfppt.cxx:1461
#3 ImplSdPPTImport::ImplSdPPTImport()        pptin.cxx:160
#4 SdPPTImport::SdPPTImport()                pptin.cxx:147
#5 ImportPPT()                               pptin.cxx:2781

Root cause:
Uninitialized value was created by allocation of 'cData' in the 
stack frame of ReadPptFontEntityAtom() at svdfppt.cxx:388.

Steps to Reproduce:
1. Build LibreOffice with MemorySanitizer using OSS-Fuzz infrastructure:
   python infra/helper.py build_fuzzers --sanitizer memory libreoffice

2. Run the reproducer with the attached testcase:
   python infra/helper.py reproduce libreoffice pptfuzzer <attached_testcase>

3. MemorySanitizer reports use-of-uninitialized-value in 
   ReadPptFontEntityAtom() at svdfppt.cxx:453

Actual Results:
MemorySanitizer: use-of-uninitialized-value in 
ReadPptFontEntityAtom() at svdfppt.cxx:453

Expected Results:
Crafted PPT file is rejected or parsed safely without 
reading uninitialized memory


Reproducible: Always


User Profile Reset: No

Additional Info:
Found using MemorySanitizer (MSan) via OSS-Fuzz infrastructure.
Reproduces 100% of the time with attached testcase.

Full MSan output:

==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 ReadPptFontEntityAtom(SvStream&, PptFontEntityAtom&) svdfppt.cxx:453:14
    #1 SdrPowerPointImport::ReadFontCollection()            svdfppt.cxx:2192:17
    #2 SdrPowerPointImport::SdrPowerPointImport()           svdfppt.cxx:1461:17
    #3 ImplSdPPTImport::ImplSdPPTImport()                  pptin.cxx:160:7
    #4 SdPPTImport::SdPPTImport()                          pptin.cxx:147:23
    #5 ImportPPT()                                         pptin.cxx:2781:47
    #6 TestImportPPT                                       pptin.cxx:2810:20
    #7 LLVMFuzzerTestOneInput                              pptfuzzer.cxx:149:11

Uninitialized value was created by allocation of 'cData' 
in the stack frame of ReadPptFontEntityAtom() at svdfppt.cxx:388

DEDUP_TOKEN: ReadPptFontEntityAtom--ReadFontCollection--SdrPowerPointImport
SUMMARY: MemorySanitizer: use-of-uninitialized-value 
svdfppt.cxx:453:14 in ReadPptFontEntityAtom()

Note: This is a separate bug from any previously reported MSan issues.
Not related to WMF or HWP bugs. Independent root cause.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to