Bug 871516 - [abrt] MathType::HandleRecords
Summary: [abrt] MathType::HandleRecords
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: libreoffice
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Caolan McNamara
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5fb6c353c4da33e389dc45461d0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-30 15:23 UTC by Gaston Cocco
Modified: 2012-11-28 12:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-28 12:33:18 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: core_backtrace (9.83 KB, text/plain)
2012-10-30 15:23 UTC, Gaston Cocco 		no flags Details
File: environ (1.95 KB, text/plain)
2012-10-30 15:23 UTC, Gaston Cocco 		no flags Details
File: backtrace (241.96 KB, text/plain)
2012-10-30 15:23 UTC, Gaston Cocco 		no flags Details
File: limits (1.29 KB, text/plain)
2012-10-30 15:23 UTC, Gaston Cocco 		no flags Details
File: cgroup (128 bytes, text/plain)
2012-10-30 15:23 UTC, Gaston Cocco 		no flags Details
File: maps (136.42 KB, text/plain)
2012-10-30 15:23 UTC, Gaston Cocco 		no flags Details
File: dso_list (32.61 KB, text/plain)
2012-10-30 15:24 UTC, Gaston Cocco 		no flags Details
File: var_log_messages (349 bytes, text/plain)
2012-10-30 15:24 UTC, Gaston Cocco 		no flags Details
File: open_fds (3.15 KB, text/plain)
2012-10-30 15:24 UTC, Gaston Cocco 		no flags Details
View All

Description Gaston Cocco 2012-10-30 15:23:27 UTC 
Version-Release number of selected component:
libreoffice-core-3.5.7.2-2.fc17

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        /usr/lib64/libreoffice/program/soffice.bin --writer --splash-pipe=6
crash_function: GetChar
kernel:         3.6.1-1.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 GetChar at /usr/src/debug/libreoffice-3.5.7.2/solver/unxlngx6.pro/inc/tools/string.hxx:461
: #1 MathType::HandleRecords at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:718
: #2 MathType::HandleTemplate at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:2752
: #3 MathType::HandleRecords at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:1716
: #5 MathType::HandlePile at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:2678
: #6 MathType::HandleRecords at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:1721
: #9 MathType::Parse at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/mathtype.cxx:597
: #10 SmDocShell::ConvertFrom at /usr/src/debug/libreoffice-3.5.7.2/starmath/source/document.cxx:786
: #11 SfxObjectShell::DoLoad at /usr/src/debug/libreoffice-3.5.7.2/sfx2/source/doc/objstor.cxx:748
: #12 SfxBaseModel::load at /usr/src/debug/libreoffice-3.5.7.2/sfx2/source/doc/sfxbasemodel.cxx:1873
Comment 1 Gaston Cocco 2012-10-30 15:23:31 UTC 
Created attachment 635649 [details]
File: core_backtrace
Comment 2 Gaston Cocco 2012-10-30 15:23:45 UTC 
Created attachment 635650 [details]
File: environ
Comment 3 Gaston Cocco 2012-10-30 15:23:49 UTC 
Created attachment 635651 [details]
File: backtrace
Comment 4 Gaston Cocco 2012-10-30 15:23:52 UTC 
Created attachment 635652 [details]
File: limits
Comment 5 Gaston Cocco 2012-10-30 15:23:54 UTC 
Created attachment 635653 [details]
File: cgroup
Comment 6 Gaston Cocco 2012-10-30 15:23:58 UTC 
Created attachment 635654 [details]
File: maps
Comment 7 Gaston Cocco 2012-10-30 15:24:00 UTC 
Created attachment 635655 [details]
File: dso_list
Comment 8 Gaston Cocco 2012-10-30 15:24:05 UTC 
Created attachment 635656 [details]
File: var_log_messages
Comment 9 Gaston Cocco 2012-10-30 15:24:07 UTC 
Created attachment 635657 [details]
File: open_fds
Comment 10 David Tardon 2012-10-31 12:38:22 UTC 
Could you attach the document here?
Comment 11 Eike Rathke 2012-10-31 14:19:01 UTC 
Looking at code around starmath/source/mathtype.cxx +718 it could be that for (nRecord == END)

    xub_StrLen nI = rRet.Len()-1;
    while (nI && ((cChar = rRet.GetChar(nI)) == ' '))
        --nI;

the rRet string is empty, effectively leading to nI=0xffff and out of bounds access.
Comment 12 Caolan McNamara 2012-10-31 17:17:03 UTC 
Pushed http://cgit.freedesktop.org/libreoffice/core/commit/?id=4dd6c44628ab4e6b4debf22e58e01f9263a5a878 upstream according to erack's theory. But still would like to see crashing document to verify that.
Comment 13 David Tardon 2012-11-28 12:33:18 UTC 
let's presume the fix is good
Note You need to log in before you can comment on or make changes to this bug.