Issue 120250

Summary: Crash while opening RTF file
Product: Writer Reporter: Andrea Pescetti <pescetti>
Component: open-importAssignee: Andre <awf.aoo>
Status: CLOSED FIXED QA Contact:
Severity: Normal    
Priority: P2 CC: awf.aoo, denis.simonet, doneyourself, kschenk
Version: 3.4.0Keywords: regression
Target Milestone: 4.0.0Flags: doneyourself: 4.0.0_release_blocker?
Hardware: All   
OS: All   
Issue Type: DEFECT Latest Confirmation in: ---
Developer Difficulty: ---
Attachments:
Description Flags
Crashes OpenOffice 3.4, works on 3.3 none

Description Andrea Pescetti 2012-07-11 07:25:42 UTC 
Created attachment 78624 [details]
Crashes OpenOffice 3.4, works on 3.3

Opening (or scrolling to the second page) the attached RTF file leads to a crash in OpenOffice 3.4 while it works normally in OpenOffice.org 3.3.

Tested on OpenOffice 3.4 with a clean profile and all QA best practices (clean install and so on).

The file is from a public domain repository of classic books http://www.liberliber.it/ and all RTF files downloaded from there seem to be affected. 

[ Credits: reported by Italian users on the Italian forum/newsgroups ]
Comment 1 Kay 2013-06-08 23:12:18 UTC 
Is there any other information on this particular document? Yes, it does crash on the second page with AOO 4.0 also. I don't have OOo3.3 to test.
Comment 2 Andrea Pescetti 2013-06-15 21:58:41 UTC 
OpenOffice 400m2 still crashes on these RTF files (all the files I tested from the site, but specifically the file attached to this issue will crash).

If this can help, this is what gdb tells me (I can provide the full output if useful) when I open the RTF file and scroll to page 2, thus causing the crash:

$ gdb /.../openoffice4/program/soffice.bin 
[...]
(gdb) run
[...]
Program received signal SIGSEGV, Segmentation fault.
0x00007fffcc853c53 in SwIndex::SwIndex(SwIndexReg*, unsigned short) () from /.../openoffice4/program/../program/libsw.so
Comment 3 Andre 2013-06-18 15:18:53 UTC 
Debugging on Windows revealed the crash happening in sw/source/core/bastyp/index.cxx:94 where SwIndexReg object is accessed with empty pLast member.
Comment 4 Andre 2013-06-18 15:31:10 UTC 
Looks like SwIndexReg members pFirst and pLast are expected to be both NULL or both non-NULL.  Therefore only pFirst is checked to be non-NULL in index.cxx:92.
But in the crash pFirst is non-NULL, and thus passes the test, but pLast is still NULL and triggers the crash when accessed anyway.  Looks like the doubly linked list is not properly initialized/managed.
Comment 5 Andre 2013-06-18 15:41:01 UTC 
*** Issue 120291 has been marked as a duplicate of this issue. ***
Comment 6 Andre 2013-06-20 13:26:11 UTC 
Taking over.
Comment 7 Andre 2013-06-21 08:07:04 UTC 
The doubly linked list SwIndexReg is not well implemented.  The problem that causes the crash is the removal of items from the list.  It does not handle the case when an item is the last element in the list and pFirst and pLast pointers have both be reset.  There is another problem with items being removed from lists in which they are not a member.

Fixed both problems but more probably remain.  It would probably be best to reimplement SwIndex/SwIndexReg.

Fixed in revision 1495315.
Comment 8 Andrea Pescetti 2013-06-25 17:17:48 UTC 
Thank Andre, works with the latest daily snapshot. Closing.
Comment 9 hdu@apache.org 2013-07-11 08:14:51 UTC 
Updated target to release that will contain the fix.