https://bugs.freedesktop.org/show_bug.cgi?id=79131
Priority: medium
Bug ID: 79131
Assignee: [email protected]
Summary: Crash in EnhancedCustomShapeTypeNames::Get
Severity: critical
Classification: Unclassified
OS: All
Reporter: [email protected]
Hardware: Other
Status: UNCONFIRMED
Version: 4.3.0.0.beta1
Component: Libreoffice
Product: LibreOffice
Created attachment 99650
--> https://bugs.freedesktop.org/attachment.cgi?id=99650&action=edit
Repro file
When opening a mutated DOCX file, an ASan build of LO 4.4.0.0 alpha0 will
crash:
Program received signal SIGSEGV, Segmentation fault.
0x00007fffbfe7e6b3 in EnhancedCustomShapeTypeNames::Get (eShapeType=<optimized
out>) at
/home/moggi/devel/libo7/svx/source/customshapes/EnhancedCustomShapeTypeNames.cxx:304
rax 0x800fc32eda90 140805187492496
rbx 0xf204f2f2f200f201 -1007413291367992831
rcx 0x7ffffffe0820 140737488226336
rdx 0xffffffff 4294967295
rsi 0x1001f865db52 17600648436562
rdi 0x7ffffffe0820 140737488226336
rbp 0x7ffffffe0870 0x7ffffffe0870
rsp 0x7ffffffe07a0 0x7ffffffe07a0
0x00007fffbfe7e6af <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+447>: shr
$0x3,%rsi
=> 0x00007fffbfe7e6b3 <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+451>: cmpb
$0x0,0x7fff8000(%rsi)
0x00007fffbfe7e6ba <EnhancedCustomShapeTypeNames::Get(MSO_SPT)+458>: mov
%rax,0x10(%rsp)
Original OO file: WordArt_samples.docx
Mutated OO file (repro file): crash-30909.docx
Modified XML file: word/document.xml
Modifications:
- in tag "w:pStyle", attribute "w:val" was switched from "Heading1" to "Abc123"
- in tag "v:shapetype", attribute "coordsize" was switched from "21600,21600"
to "Abc123"
in tag "v:shapetype", attribute "o:spt" was switched from "136" to "-1"
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
