108047 – crash when opening corrupted docx document

Issue 108047 - crash when opening corrupted docx document

Summary: crash when opening corrupted docx document

Status:	CLOSED FIXED

Alias:	None

Product:	Writer
Classification:	Application
Component:	open-import (show other issues)
Version:	OOo 3.1.1
Hardware:	Unknown All

Importance:	P2 Trivial (vote)
Target Milestone:	---
Assignee:	michael.ruess
QA Contact:	issues@sw

URL:
Keywords:	crash, oooqa

Depends on:
Blocks:

Reported:	2010-01-03 18:56 UTC by fmms
Modified:	2013-08-07 14:44 UTC (History)
CC List:	5 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	---
Developer Difficulty:	---

Attachments
first variant: guard just the needed methods to avoid immediate crash (1.05 KB, patch) 2010-01-04 06:56 UTC, dtardon	no flags	Details \| Diff
second variant: guard all accesses to m_aFieldStack (2.52 KB, patch) 2010-01-04 06:57 UTC, dtardon	no flags	Details \| Diff
the docx file (8.43 KB, application/octet-stream) 2010-01-04 11:11 UTC, dtardon	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description fmms 2010-01-03 18:56:51 UTC

I have a docx document created by the go-oo version of Ubuntu.

The relevant document can be found attached to
https://bugzilla.redhat.com/attachment.cgi?id=381385.

Opening this document ends with:
/builddir/build/BUILD/OOO310_m19/writerfilter/source/dmapper/DomainMapper.cxx(l/usr/lib/openoffice.org3/program/soffice:
line 129: 12107 Segmentation fault      (core dumped) "$sd_prog/$sd_binary"
"$@"

Comment 1 Mechtilde 2010-01-03 20:17:10 UTC

can confirm

send crash reports
rngmd2c

Comment 2 Mechtilde 2010-01-03 20:19:15 UTC

Priority P2 because of crash

Comment 3 dtardon 2010-01-04 06:55:18 UTC

The namespace r used for r:id attribute of w:hyperlink is undefined in
word/footnotes.xml . Therefore, the hyperlink field creation in hyperlink
context handler fails silently and then any method of the handler trying to get
the actual field from field stack (m_aFieldStack) crashes. The attached patch
guards against accessing elements of empty stack in methods related to this
crash. The second extends it to all (if I haven't overlooked any) methods of the
hyperlink context handler that use m_aFieldStack.

Comment 4 dtardon 2010-01-04 06:56:20 UTC

Created attachment 66962 [details]
first variant: guard just the needed methods to avoid immediate crash

Comment 5 dtardon 2010-01-04 06:57:16 UTC

Created attachment 66963 [details]
second variant: guard all accesses to m_aFieldStack

Comment 6 michael.ruess 2010-01-04 11:04:32 UTC

MRU->HBRINKM: please take over this Patch proposal.

Please, could anyone attach the docx file to this issue? I was not able to get
it via the mentioned Bugzilla link. Thank you very much!

Comment 7 dtardon 2010-01-04 11:10:03 UTC

dtardon->mru: Correct link to the Fedora bug is
https://bugzilla.redhat.com/show_bug.cgi?id=551983 . I'll attach the docx file
here too.

Comment 8 dtardon 2010-01-04 11:11:51 UTC

Created attachment 66965 [details]
the docx file

Comment 9 mjrgroup 2010-01-06 22:20:04 UTC

I'm new to all this, but even after reinstalling the newest version of open
office I am havig a similar issue. It will open a .docx file but display it
incorrectly (text fields, object fields shown outside the margins, and incorrect
spacing and margins), but when you close the file either by clicking the "x" or
file menu "close" Open Office crashes. I wish i had some sort of documentation
or what have you but like I said I am new to this software.

Comment 10 michael.ruess 2010-01-07 07:48:00 UTC

mru->mjrgroup: if you are new, you should read the manual pages about
submitting/tracking and grepping issues.
http://qa.openoffice.org/issue_handling/pre_submission.html
http://qa.openoffice.org/ooQAReloaded/ooQA-IssueRules.html
http://qa.openoffice.org/ooQAReloaded/Docs/QA-Reloaded-BasicRules.html

Comment 11 michael.ruess 2010-01-07 07:50:31 UTC

mru->mjrgroup: you will also get help & support at users@openoffice.org.

Comment 12 openoffice 2010-01-07 10:47:38 UTC

I tried to reproduce this one on unxmacxi.pro and ran into an exception not handled:

#0  0x9724e732 in __kill ()
#1  0x9724e724 in kill$UNIX2003 ()
#2  0x972e198d in raise ()
#3  0x972f7a44 in abort ()
#4  0x92004fda in __gnu_cxx::__verbose_terminate_handler ()
#5  0x9200317a in __cxxabiv1::__terminate ()
#6  0x920031ba in std::terminate ()
#7  0x920032b8 in __cxa_throw ()
#8  0x2519540f in sax_fastparser::FastSaxParser::GetTokenWithPrefix (this=0x18605f18, 
rPrefix=@0x2eb14ce0, rName=@0x2eb14ce4) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:279
#9  0x251975bc in sax_fastparser::FastSaxParser::callbackStartElement (pvThis=0x18605f18, 
pwName=0x2e8ee620 "w:hyperlink", awAttributes=0x2e8eabc0) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:800
#10 0x25197e65 in call_callbackStartElement (userData=0x18605f18, name=0x2e8ee620 
"w:hyperlink", atts=0x2e8eabc0) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:121
#11 0x25181f64 in doContent ()
#12 0x25182c6e in contentProcessor ()
#13 0x251808c1 in doProlog ()
#14 0x25181645 in prologProcessor ()
#15 0x25179ce6 in XML_ParseBuffer ()
#16 0x25194742 in sax_fastparser::FastSaxParser::parse (this=0x18605f18) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:678
#17 0x25196ae6 in sax_fastparser::FastSaxParser::parseStream (this=0x18605f18, 
maStructSource=@0xbfffb6b8) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:464
#18 0x2dc8a3e0 in writerfilter::ooxml::OOXMLDocumentImpl::resolve (this=0x2e8ea0e0, 
rStream=@0x2bc9fbbc) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLDocumentIm
pl.cxx:339
#19 0x2ddb1f74 in writerfilter::dmapper::DomainMapper::substream (this=0x2bc9fbb0, 
rName=10010, ref=@0xbfffb790) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/dmapper/DomainMapper.cx
x:4664
#20 0x2ddad661 in writerfilter::StreamProtocol::substream (this=0x24d3be10, name=10010, 
ref=@0xbfffb7d8) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/resourcemodel/Protocol.cxx
:135
#21 0x2dc89cd5 in writerfilter::ooxml::OOXMLDocumentImpl::resolveFastSubStreamWithId 
(this=0x24d3bce0, rStream=@0x24d3be10, pStream=@0xbfffb834, nId=10010) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLDocumentIm
pl.cxx:103
#22 0x2dc8ae1f in writerfilter::ooxml::OOXMLDocumentImpl::resolveFootnote (this=0x24d3bce0, 
rStream=@0x24d3be10, rType=@0xbfffb86c, rNoteId=@0xbfffb8ac) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLDocumentIm
pl.cxx:182
#23 0x2dc96704 in writerfilter::ooxml::OOXMLFastContextHandler::resolveFootnote 
(this=0x18620208, rId=@0xbfffb8ac) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFastContextH
andler.cxx:1170
#24 0x2dc881ee in writerfilter::ooxml::OOXMLFootnoteHandler::attribute (this=0xbfffb9c8, 
name=92379, val=@0x2e8e9d60) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/Handler.cxx:56
#25 0x2ddadc0b in writerfilter::PropertiesProtocol::attribute (this=0x2e8e9d50, name=92379, 
val=@0x2e8e9d60) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/resourcemodel/Protocol.cxx
:177
#26 0x2dc7fbb7 in writerfilter::ooxml::OOXMLPropertyImpl::resolve (this=0x2e8e9c20, 
rProperties=@0xbfffb9c8) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLPropertySetI
mpl.cxx:177
#27 0x2dc81e1e in writerfilter::ooxml::OOXMLPropertySetImpl::resolve (this=0x2e8e2910, 
rHandler=@0xbfffb9c8) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLPropertySetI
mpl.cxx:427
#28 0x2dc9705e in writerfilter::ooxml::OOXMLFastContextHandlerProperties::handleXNotes 
(this=0x18620208) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFastContextH
andler.cxx:1450
#29 0x2dbcd07d in writerfilter::ooxml::OOXMLFactory_wml::endAction (this=0x2bca4220, 
pHandler=0x18620208) at ../../unxmacxi.pro/misc/OOXMLFactory_wml.cxx:4093
#30 0x2dc77ebc in writerfilter::ooxml::OOXMLFactory::endAction (this=0x2bca23c0, 
pHandler=0x18620208) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFactory.cxx:3
08
#31 0x2dc93f58 in writerfilter::ooxml::OOXMLFastContextHandler::lcl_endAction (this=0x18620208, 
Element=3934419) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFastContextH
andler.cxx:468
#32 0x2dc93e61 in writerfilter::ooxml::OOXMLFastContextHandler::endAction (this=0x18620208, 
Element=3934419) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFastContextH
andler.cxx:460
#33 0x2dc9a932 in writerfilter::ooxml::OOXMLFastContextHandlerProperties::lcl_endFastElement 
(this=0x18620208, Element=3934419) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFastContextH
andler.cxx:1373
#34 0x2dc93019 in writerfilter::ooxml::OOXMLFastContextHandler::endFastElement (this=0x18620208, 
Element=3934419) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLFastContextH
andler.cxx:287
#35 0x25195590 in sax_fastparser::FastSaxParser::callbackEndElement (pvThis=0x184299d0) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:892
#36 0x2519568c in call_callbackEndElement (userData=0x184299d0, name=0x41bfa08 
"w:footnoteReference") at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:125
#37 0x25181c11 in doContent ()
#38 0x25182c6e in contentProcessor ()
#39 0x251808c1 in doProlog ()
#40 0x25181645 in prologProcessor ()
#41 0x25179ce6 in XML_ParseBuffer ()
#42 0x25194742 in sax_fastparser::FastSaxParser::parse (this=0x184299d0) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:678
#43 0x25196ae6 in sax_fastparser::FastSaxParser::parseStream (this=0x184299d0, 
maStructSource=@0xbfffc098) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/sax/source/fastparser/fastparser.cxx:464
#44 0x2dc8a3e0 in writerfilter::ooxml::OOXMLDocumentImpl::resolve (this=0x24d3bce0, 
rStream=@0x2bc9fbbc) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/ooxml/OOXMLDocumentIm
pl.cxx:339
#45 0x2de44cd5 in WriterFilter::filter (this=0x185f52f8, aDescriptor=@0xbfffc37c) at 
/Volumes/OOoBuilds/OpenOffice/writerfilter07/Source/writerfilter/source/filter/ImportFilter.cxx:122
#46 0x0057429a in SfxObjectShell::ImportFrom ()
#47 0x00577107 in SfxObjectShell::DoLoad ()
#48 0x005d4d1b in SfxBaseModel::load ()
#49 0x00647d9c in non-virtual thunk to SfxViewShell::~SfxViewShell() ()
#50 0x187b8d0d in dyld_stub_uno_type_sequence_reference2One ()
#51 0x187b93c8 in dyld_stub_uno_type_sequence_reference2One ()
#52 0x187aa5a4 in dyld_stub_uno_type_sequence_reference2One ()
#53 0x187aad05 in dyld_stub_uno_type_sequence_reference2One ()
#54 0x002c6b9c in comphelper::SynchronousDispatch::dispatch ()
#55 0x004a890c in SfxApplication::LoadTemplate ()
#56 0x0068f042 in SfxShell::CallExec ()
#57 0x0068d331 in SfxDispatcher::HideUI ()
#58 0x0068dbdc in SfxDispatcher::_Execute ()
#59 0x0068e08b in SfxDispatcher::Execute ()
#60 0x0068e15a in SfxDispatcher::Execute ()
#61 0x004ab1fe in SfxApplication::LoadTemplate ()
#62 0x0068f042 in SfxShell::CallExec ()
#63 0x0068d331 in SfxDispatcher::HideUI ()
#64 0x0068d8b9 in SfxDispatcher::_Execute ()
#65 0x0068d9e4 in SfxDispatcher::_Execute ()
#66 0x006be0c9 in SfxFrame::GetParentFrame ()
#67 0x0145f89f in vcl::LazyDeletor<Window>::~LazyDeletor ()
#68 0x01515d10 in component_writeInfo ()
#69 0x012714b0 in Application::Yield ()
#70 0x0127159c in Application::Execute ()
#71 0x001dc775 in dyld_stub_write ()
#72 0x01278758 in DeInitVCL ()
#73 0x0151524b in component_writeInfo ()
#74 0x0151a25b in SalGetDesktopEnvironment ()
#75 0x9679b4ff in -[NSApplication run] ()
#76 0x96793535 in NSApplicationMain ()
#77 0x01516b37 in SalGetDesktopEnvironment ()
#78 0x01278801 in SVMain ()
#79 0x0020314a in soffice_main ()
#80 0x00002b6e in main ()

@dr: Looks like this has to be handled first.

Comment 13 michael.ruess 2010-01-07 11:34:51 UTC

Adjusting summary a bit - MS Word 2003 and 2007 say that this document has file
format errors.

Comment 14 daniel.rentz 2010-01-27 14:39:04 UTC

When I try to load the atatched document in an unmodified Office (DEV300m70
Windows) I get a crash at the following place:

>	writerfiltermi.dll!writerfilter::dmapper::DomainMapperTableHandler::endTable()
 Line 453	C++

The code line is:
    PropertyMapVector2::const_iterator aLastRowIterator =
m_aCellProperties.end() - 1;

The reason of the crash is that m_aCellProperties is empty.

@hbrinkm: Please have a look if this problem is related.

Comment 15 daniel.rentz 2010-01-27 14:58:53 UTC

Actually, this problem occurs before
sax_fastparser::FastSaxParser::GetTokenWithPrefix() wants to throw something.
So, Henning, please have a look first.

Comment 16 openoffice 2010-02-01 12:09:24 UTC

@dr: I rebased CWS writerfilter07 to DEV300_m70 and still get the stack above.

Comment 17 daniel.rentz 2010-02-04 13:30:34 UTC

I think I have found a solution for the exception handling

Comment 18 daniel.rentz 2010-02-05 12:04:19 UTC

dr->hbrinkm: I have pushed a fix to handle C++ exceptions in the fast parser
correctly (they are not thrown through C callbacks anymore, but transported in
an UNO Any). Please take care of the attached patch. Changed files:
sax/source/fastparser/fastparser.cxx
sax/source/fastparser/fastparser.hxx

Comment 19 openoffice 2010-02-16 10:36:12 UTC

fixed in writerfilter07

Comment 20 michael.ruess 2010-02-25 10:49:31 UTC

Comment 21 michael.ruess 2010-02-25 10:52:08 UTC

Verified in CWS writerfilter07.

Comment 22 caolanm 2010-04-22 10:44:30 UTC

integrated DEV300_m77