Bug 871516

Summary: [abrt] MathType::HandleRecords
Product: [Fedora] Fedora Reporter: Gaston Cocco <glcocco>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: caolanm, dtardon, erack, ltinkl, mstahl, sbergman
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:5fb6c353c4da33e389dc45461d05ebd460a0b75f
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-28 12:33:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: core_backtrace
none
File: environ
none
File: backtrace
none
File: limits
none
File: cgroup
none
File: maps
none
File: dso_list
none
File: var_log_messages
none
File: open_fds none

Description Gaston Cocco 2012-10-30 15:23:27 UTC 
Version-Release number of selected component:
libreoffice-core-3.5.7.2-2.fc17

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        /usr/lib64/libreoffice/program/soffice.bin --writer --splash-pipe=6
crash_function: GetChar
kernel:         3.6.1-1.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 GetChar at /usr/src/debug/libreoffice-3.5.7.2/solver/unxlngx6.pro/inc/tools/string.hxx:461
: #1 MathType::HandleRecords at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:718
: #2 MathType::HandleTemplate at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:2752
: #3 MathType::HandleRecords at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:1716
: #5 MathType::HandlePile at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:2678
: #6 MathType::HandleRecords at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:1721
: #9 MathType::Parse at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:597
: #10 SmDocShell::ConvertFrom at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/document.cxx:786
: #11 SfxObjectShell::DoLoad at /usr/src/debug/libreoffice-3.5.7.2/sfx2/source/doc/objstor.cxx:748
: #12 SfxBaseModel::load at /usr/src/debug/libreoffice-3.5.7.2/sfx2/source/doc/sfxbasemodel.cxx:1873
Comment 1 Gaston Cocco 2012-10-30 15:23:31 UTC 
Created attachment 635649 [details]
File: core_backtrace
Comment 2 Gaston Cocco 2012-10-30 15:23:45 UTC 
Created attachment 635650 [details]
File: environ
Comment 3 Gaston Cocco 2012-10-30 15:23:49 UTC 
Created attachment 635651 [details]
File: backtrace
Comment 4 Gaston Cocco 2012-10-30 15:23:52 UTC 
Created attachment 635652 [details]
File: limits
Comment 5 Gaston Cocco 2012-10-30 15:23:54 UTC 
Created attachment 635653 [details]
File: cgroup
Comment 6 Gaston Cocco 2012-10-30 15:23:58 UTC 
Created attachment 635654 [details]
File: maps
Comment 7 Gaston Cocco 2012-10-30 15:24:00 UTC 
Created attachment 635655 [details]
File: dso_list
Comment 8 Gaston Cocco 2012-10-30 15:24:05 UTC 
Created attachment 635656 [details]
File: var_log_messages
Comment 9 Gaston Cocco 2012-10-30 15:24:07 UTC 
Created attachment 635657 [details]
File: open_fds
Comment 10 David Tardon 2012-10-31 12:38:22 UTC 
Could you attach the document here?
Comment 11 -RETIRED- 2012-10-31 14:19:01 UTC 
Looking at code around starmath/source/mathtype.cxx +718 it could be that for (nRecord == END)

    xub_StrLen nI = rRet.Len()-1;
    while (nI && ((cChar = rRet.GetChar(nI)) == ' '))
        --nI;

the rRet string is empty, effectively leading to nI=0xffff and out of bounds access.
Comment 12 Caolan McNamara 2012-10-31 17:17:03 UTC 
Pushed http://cgit.freedesktop.org/libreoffice/core/commit/?id=4dd6c44628ab4e6b4debf22e58e01f9263a5a878 upstream according to erack's theory. But still would like to see crashing document to verify that.
Comment 13 David Tardon 2012-11-28 12:33:18 UTC 
let's presume the fix is good