Bug 203088 - Stack smashing detected when saving file in oowriter
Summary: Stack smashing detected when saving file in oowriter
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openoffice.org
Version: rawhide
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Caolan McNamara
QA Contact:
URL:
Whiteboard:
: 203433 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-18 13:23 UTC by Robin Green
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 2.0.4-2.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-26 15:41:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
test case (53.00 KB, application/msword)
2006-08-18 13:23 UTC, Robin Green
no flags Details


Links
System ID Private Priority Status Summary Last Updated
OpenOffice.org 68805 0 None None None Never

Description Robin Green 2006-08-18 13:23:33 UTC
Description of problem:
oowriter crashes when I use Save As on a .doc file (attached).

Version-Release number of selected component (if applicable):
openoffice.org-writer-2.0.3-7.9

How reproducible:
Always

Steps to Reproduce:
1. oowriter CSI\ Letterhead.doc &
2. attach to oowriter in gdb
  
Actual results:
Crash (backtrace below)

Expected results:
No crash

Additional info:

Continuing.
[New Thread 1126189376 (LWP 24827)]
[New Thread 1136679232 (LWP 24828)]
[Thread 1126189376 (LWP 24827) exited]
[Thread 1136679232 (LWP 24828) exited]
*** stack smashing detected ***:
/usr/lib64/openoffice.org2.0/program/swriter.bin terminated

Program received signal SIGABRT, Aborted.
[Switching to Thread 46912688705152 (LWP 24796)]
0x00002aaaacf52205 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00002aaaacf52205 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00002aaaacf53b70 in *__GI_abort () at abort.c:88
#2  0x00002aaaacf8976b in __libc_message (do_abort=1, fmt=0x2aaaad03bec0 "***
stack smashing detected ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00002aaaad003f4f in __stack_chk_fail () at stack_chk_fail.c:31
#4  0x00002aaaab6dc400 in WW8Dop::Write (this=0x2aaabd790080,
rStrm=@0x2aaac13a3790, rFib=@0x7fffcb5e114c)
    at /usr/src/debug/OOC680_m7/sw/source/filter/ww8/ww8scan.cxx:6807
#5  0x00002aaaab66e9f8 in SwWW8Writer::WriteFkpPlcUsw (this=0x2aaac16d5b28)
    at /usr/src/debug/OOC680_m7/sw/source/filter/ww8/wrtww8.cxx:2068
#6  0x00002aaaab66ebbd in SwWW8Writer::StoreDoc1 (this=0x2aaac16d5b28) at
/usr/src/debug/OOC680_m7/sw/source/filter/ww8/wrtww8.cxx:2109
#7  0x00002aaaab66f68b in SwWW8Writer::StoreDoc (this=0x2aaac16d5b28) at
/usr/src/debug/OOC680_m7/sw/source/filter/ww8/wrtww8.cxx:2398
#8  0x00002aaaab670529 in SwWW8Writer::WriteStorage (this=0x2aaac16d5b28)
    at /usr/src/debug/OOC680_m7/sw/source/filter/ww8/wrtww8.cxx:2563
#9  0x00002aaaab6378a2 in StgWriter::Write (this=0x2aaac16d5b28,
rPaM=@0x2aaac0749640, rStg=<value optimized out>,
    pFName=<value optimized out>) at
/usr/src/debug/OOC680_m7/sw/source/filter/writer/writer.cxx:641
#10 0x00002aaaab6374bf in Writer::Write (this=0x2aaac16d5b28,
rPaM=@0x2aaac0749640, rStrm=@0x2aaac2f6b0b0, pFName=0x7fffcb5e1ad0)
    at /usr/src/debug/OOC680_m7/sw/source/filter/writer/writer.cxx:350
#11 0x00002aaaab574e99 in SwWriter::Write (this=0x7fffcb5e1a00,
rxWriter=@0x7fffcb5e1ae0, pRealFileName=0x7fffcb5e1ad0)
    at /usr/src/debug/OOC680_m7/sw/source/filter/basflt/shellio.cxx:1001
#12 0x00002aaaab746dbe in SwDocShell::ConvertTo (this=0x2aaabd6ed118,
rMedium=@0x2aaac2f96ac0)
    at /usr/src/debug/OOC680_m7/sw/source/ui/app/docsh.cxx:930
#13 0x00002aaab18a5405 in SfxObjectShell::SaveTo_Impl (this=0x2aaabd6ed118,
rMedium=@0x2aaac2f96ac0, pSet=0x0)
    at /usr/src/debug/OOC680_m7/sfx2/source/doc/objstor.cxx:1585
#14 0x00002aaab18a8323 in SfxObjectShell::PreDoSaveAs_Impl (this=0x2aaabd6ed118,
rFileName=@0x7fffcb5e23c0,
    aFilterName=@0x7fffcb5e25d0, pParams=<value optimized out>) at
/usr/src/debug/OOC680_m7/sfx2/source/doc/objstor.cxx:2741
#15 0x00002aaab18a8a87 in SfxObjectShell::CommonSaveAs_Impl
(this=0x2aaabd6ed118, aURL=@0x7fffcb5e2550, aFilterName=@0x7fffcb5e25d0,
    aParams=0x2aaac13becd0) at
/usr/src/debug/OOC680_m7/sfx2/source/doc/objstor.cxx:2612
#16 0x00002aaab18afa33 in SfxObjectShell::APISaveAs_Impl (this=0x2aaabd6ed118,
aFileName=@0x7fffcb5e28a0, aParams=0x2aaac13becd0)
    at /usr/src/debug/OOC680_m7/sfx2/source/doc/objserv.cxx:442
#17 0x00002aaab18e6aec in SfxBaseModel::impl_store (this=0x2aaaaab71d18,
sURL=@0x7fffcb5e2fe0, seqArguments=@0x7fffcb5e3880,
    bSaveTo=0 '\0') at
/usr/src/debug/OOC680_m7/sfx2/source/doc/sfxbasemodel.cxx:3414
#18 0x00002aaab18f5578 in SfxBaseModel::storeAsURL (this=0x2aaaaab71d18,
rURL=@0x7fffcb5e2fe0, rArgs=@0x7fffcb5e3880)
    at /usr/src/debug/OOC680_m7/sfx2/source/doc/sfxbasemodel.cxx:2270
#19 0x00002aaab190d1b9 in SfxStoringHelper::GUIStoreModel (this=<value optimized
out>, xModel=<value optimized out>,
    aSlotName=<value optimized out>, aArgsSequence=@0x7fffcb5e3880) at
/usr/src/debug/OOC680_m7/sfx2/source/doc/guisaveas.cxx:1431
#20 0x00002aaab18b2109 in SfxObjectShell::ExecFile_Impl (this=0x2aaabd6ed118,
rReq=@0x7fffcb5e3e50)
    at /usr/src/debug/OOC680_m7/sfx2/source/doc/objserv.cxx:722
#21 0x00002aaab1961746 in SfxDispatcher::Call_Impl (this=0x2aaac04ea790,
rShell=@0x2aaabd6ed118, rSlot=@0x2aaab1cdbba0,
    rReq=@0x7fffcb5e3e50, bRecord=1 '\001') at ../../inc/shell.hxx:226
#22 0x00002aaab1955e6a in SfxBindings::Execute_Impl (this=0x2aaac0a4c080,
aReq=@0x7fffcb5e3e50, pSlot=0x2aaab1cdbba0,
    pShell=0x2aaabd6ed118) at
/usr/src/debug/OOC680_m7/sfx2/source/control/bindings.cxx:1751
#23 0x00002aaab197ea27 in SfxDispatchController_Impl::dispatch
(this=0x2aaabdb26308, aURL=@0x7fffcb5e3ea0,
---Type <return> to continue, or q <return> to quit---
    aArgs=<value optimized out>, rListener=@0x7fffcb5e3fc0) at
/usr/src/debug/OOC680_m7/sfx2/source/control/unoctitm.cxx:827
#24 0x00002aaab197f3a1 in SfxOfficeDispatch::dispatch (this=0x2aaac1517eb8,
aURL=@0x7fffcb5e4080, aArgs=@0x7fffcb5e4110)
    at /usr/src/debug/OOC680_m7/sfx2/source/control/unoctitm.cxx:450
#25 0x00002aaab23aaa45 in framework::MenuBarManager::Select
(this=0x2aaac1359488, pMenu=0x2aaac243da90)
    at /usr/src/debug/OOC680_m7/framework/source/uielement/menubarmanager.cxx:1428
#26 0x00002aaaad48799e in Menu::Select (this=0x2aaac1150a90) at
/usr/src/debug/OOC680_m7/solver/680/unxlngx6.pro/inc/tools/link.hxx:154
#27 0x00002aaaad483625 in Menu::ImplCallSelect (this=0x60dc) at
/usr/src/debug/OOC680_m7/vcl/source/window/menu.cxx:2683
#28 0x00002aaaad4e4e01 in ImplWindowFrameProc (pInst=0x2aaabe77dda0,
pFrame=0x2aaabe727390, nEvent=<value optimized out>,
    pEvent=0x2aaac13c8558) at
/usr/src/debug/OOC680_m7/solver/680/unxlngx6.pro/inc/tools/link.hxx:154
#29 0x00002aaab9a22e87 in SalDisplay::DispatchInternalEvent
(this=0x2aaaaab00808) at ../../../inc/salframe.hxx:302
#30 0x00002aaab976e446 in GtkXLib::userEventFn (data=<value optimized out>) at
/usr/src/debug/OOC680_m7/vcl/unx/gtk/app/gtkdata.cxx:647
#31 0x00000034f422cf34 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#32 0x00000034f422fd6d in g_main_context_check () from /lib64/libglib-2.0.so.0
#33 0x00000034f423029e in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#34 0x00002aaab976e98f in GtkXLib::Yield (this=0x2aaab6261308, bWait=1 '\001')
    at /usr/src/debug/OOC680_m7/vcl/unx/gtk/app/gtkdata.cxx:697
#35 0x00002aaaad327e7d in Application::Yield () at
/usr/src/debug/OOC680_m7/vcl/source/app/svapp.cxx:545
#36 0x00002aaaad327f18 in Application::Execute () at
/usr/src/debug/OOC680_m7/vcl/source/app/svapp.cxx:507
#37 0x00002aaaaacf0ac5 in desktop::Desktop::Main (this=0x7fffcb5e4c60) at
/usr/src/debug/OOC680_m7/desktop/source/app/app.cxx:1720
#38 0x00002aaaad32cde2 in ImplSVMain () at
/usr/src/debug/OOC680_m7/vcl/source/app/svmain.cxx:242
#39 0x00002aaaad32cec5 in SVMain () at
/usr/src/debug/OOC680_m7/vcl/source/app/svmain.cxx:273
#40 0x00002aaaaace4036 in sal_main (argc=<value optimized out>, argv=<value
optimized out>)
    at /usr/src/debug/OOC680_m7/desktop/source/app/main.cxx:77
#41 0x00002aaaacf3faa4 in __libc_start_main (main=0x4005d0, argc=3,
ubp_av=0x7fffcb5e4dc8, init=<value optimized out>,
    fini=<value optimized out>, rtld_fini=<value optimized out>,
stack_end=0x7fffcb5e4db8) at libc-start.c:231
#42 0x0000000000400619 in _start ()
(gdb)

Comment 1 Robin Green 2006-08-18 13:23:38 UTC
Created attachment 134442 [details]
test case

Comment 2 Caolan McNamara 2006-08-20 15:06:49 UTC
oh, *yuck*, sizeof(long) != 4, fix checked in

Comment 3 Caolan McNamara 2006-08-22 07:06:15 UTC
*** Bug 203433 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.