Apache OpenOffice (AOO) Bugzilla – Full Text Issue Listing |
Summary: | CRASH when decreasing color picker vertical size too much | ||||||
---|---|---|---|---|---|---|---|
Product: | General | Reporter: | Josh Pharis <jrpharis> | ||||
Component: | ui | Assignee: | Armin Le Grand <Armin.Le.Grand> | ||||
Status: | CLOSED FIXED | QA Contact: | Clarence GUO <clarence.guo.bj> | ||||
Severity: | Major | ||||||
Priority: | P3 | CC: | aoo.zhaoshzh, arittner, Armin.Le.Grand, clarence.guo.bj, fanyuzhen, gooddoggie, issues, nquickel, oliver.brinzing, rainerbielefeld_ooo_qa | ||||
Version: | 4.0.0 | Keywords: | crash, regression | ||||
Target Milestone: | 4.1.0 | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
See Also: | https://issues.apache.org/ooo/show_bug.cgi?id=123063 | ||||||
Issue Type: | DEFECT | Latest Confirmation in: | 4.1.0-dev | ||||
Developer Difficulty: | --- | ||||||
Attachments: |
|
Description
Josh Pharis
2013-11-14 23:01:51 UTC
I was able to replicate this issue using Apple iMac: AOO 4.0.0 [AOO400m3(Build:9702) - Rev. 1503704 2013-07-16 14:52:30 (Tues, 16 July 2013)] on iMac Mac OSX 10.6.8 Snow Leopard. Nate Q. 11/14/2013 I was able to replicate this crash on Mac OS X 10.9 Build 13A603 using Open Office 4.0.1. The bug is not exclusive to writer and I was able to reproduce the same crash in every application where a color picker is used. To recreate the bug, I used any one of the font color, highlighting, or background color drop downs and resized the window vertically until the application crashed. confirming crash with aoo401 on winxp Reproducible with server installation of "AOO 4.1.0-Dev – English UI / English locale - [AOO410m1(Build:9750) - Rev. 1537973 - 2013-11-03]" on German WIN7 Home Premium (64bit)", own separate user profile: 1. From AOO start center open blank new Calc document using New Document icon 2. Long click on Character color icon in Standard Toolbar Color Picker appears 3. Move mouse pointer to bottom of dialog > Mouse pointer view changes to "resize" 4. Press left mouse button and move bottom dialog border upwards (3mm / s) CRASH when height becomes very small Additional info: (a) already Reproducible with server installation of "AOO 4.0.0-Dev – English UI / German locale [AOO400m1(Build:9700) – Rev.1476029 ((2013-04-26))]" on German WIN7 Home Premium (64bit)", own separate user profile (b) was still ok (simply all contents of picker disappears) with server installation of " AOO 4.0.0-Dev – English UI / German locale [AOO400m1(Build:9700) - Rev. 1457992 – Rev.1457606 ((2013-03-19))]" on German WIN7 Home Premium (64bit)", own separate user profile (c) Latest confirmation for AOO 4.1.0-dev, but because of incomplete LCo selector (Bug 123063) no correct information can be contributed. confirming the crash - works in AOO 3.4.1, broken in AOO 4.0.0 taking over to work on a solution Created attachment 82282 [details]
patch to solve the crash
The crash is triggered by method <createBlendFrame(..)> by calling <BitmapWriteAccess::SetPixel(..)> with inappropriate value for <y>.
Due to the given comments regarding the values of <x> and <y> I identified the root cause: in case that <nH == 1> given statement <y == nH - 1> is not hold.
@Armin: As you are the author of method
BitmapEx createBlendFrame( const Size&, sal_uInt8, Color, Color, Color, Color )
I asking you for a review of the proposed patch.
Comment on attachment 82282 [details]
patch to solve the crash
wrong flag ;-) - the "+" should be given by the reviewer
ALG: Thanks for checking. Indeed, when nW and/or nH are 1, x and/or y can be 1, too, after the loops. This is about blending a frame on a bitmap, thus these cases represent a target bitmap with no right/bottom line to be set. Representing that in the method... Adapted and checked, this could indeed happen for X and Y, but for X the probability to destroy something with the write access is much less due to the mem structure of bitmaps. Both are now prevented, stepped through both extremes. Grepping, preparing checkin... Okay, done. Thanks for finding this! "alg" committed SVN revision 1558424 into trunk: i123690 handle the extremes Width or Height equal one *** Issue 124226 has been marked as a duplicate of this issue. *** Verified on snapshot Rev.1566593, the defect was resolved. Change defect status per Clarence Guo's comment Verified on snapshot Rev.1573601, the defect was resolved. *** Issue 124662 has been marked as a duplicate of this issue. *** |