116400 – Memory corruption while loading an xls file

Issue 116400 - Memory corruption while loading an xls file

Summary: Memory corruption while loading an xls file

Status:	CONFIRMED

Alias:	None

Product:	Calc
Classification:	Application
Component:	viewing (show other issues)
Version:	OOo 3.2.1
Hardware:	PC All

Importance:	P3 Normal (vote)
Target Milestone:	---
Assignee:	AOO issues mailing list
QA Contact:

URL:	http://hotfile.com/dl/95840230/308243...
Keywords:

Depends on:
Blocks:

Reported:	2011-01-10 22:40 UTC by omair3030
Modified:	2014-01-15 14:50 UTC (History)
CC List:	2 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	4.1.0-dev
Developer Difficulty:	---

Attachments
attached the xls file (53.50 KB, application/vnd.ms-excel) 2011-01-10 22:41 UTC, omair3030	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description omair3030 2011-01-10 22:40:17 UTC

Tested on OpenOffice 3.2.1 build 9504 on WinXP/7


A specialy crafted file which has a corrupt MSODRAWING record 
of the excel file causes memory corruption.

The byte corrupted is at address 0x641D of the attached file.


Crash Details
--------------
0:000:x86> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
01679764 1000ad10 0167978c 55555555 0edaf4f0 
sal3!rtl_uString_new_WithLength+0x2e
0167977c 0e5c7685 016797a0 016797a4 00000000 
sal3!rtl_uStringbuffer_ensureCapacity+0x34
016797bc 0e5d5904 01679bb0 00000380 0edaf4f0 
svxmsfiltermi!DffPropSet::GetPropertyString+0x5c
01679b9c 0e5d6bf7 0d691ce0 0edaf4f0 01679c3c 
svxmsfiltermi!SvxMSDffManager::ImportShape+0x1d67
01679bdc 0c5f60ea 0edaf4f0 01679c3c 01679c0c 
svxmsfiltermi!SvxMSDffManager::ImportObj+0x83
01679c30 0c5f68fc 0edaf4f0 00000000 01679ca4 scfiltmi!ScFilterCreate+0x647ba
01679c60 0c5f78ed 0edaf4f0 00003f82 0ed2bc40 scfiltmi!ScFilterCreate+0x64fcc
01679c90 0c5f7cec 0edaf4f0 00003f82 0edaf490 scfiltmi!ScFilterCreate+0x65fbd
01679cb4 0c5f7df4 0edaf4f0 0000005a 626dee96 scfiltmi!ScFilterCreate+0x663bc
01679cec 0c598281 626def46 0d5ac4ec 0d5ac4e0 scfiltmi!ScFilterCreate+0x664c4
01679d3c 0c59b018 626def0e 0ed2bbfa 0d5ac4e0 scfiltmi!ScFilterCreate+0x6951
01679d74 0c604ec8 0ee02ee8 0d5ac4e0 00040b08 scfiltmi!ScFilterCreate+0x96e8
01679e48 0c59225f 626dedb6 0eda0cd8 0edae650 scfiltmi!ScFilterCreate+0x73598
01679fcc 0df45961 0d5ac4e0 0d5ac4e0 053b8948 scfiltmi!ScFilterCreate+0x92f
0167d314 019e5c92 0eda0cd8 b91e45fe 034ceccb scmi!ScDocShell::ConvertFrom+0x11ee
0167d3f0 01a0ba0b 0eda0cd8 b91e425a 01e4fb64 sfxmi!SfxObjectShell::DoLoad+0xb4b
0167d454 01a42879 00da0cd8 0167d594 b91e43da sfxmi!SfxBaseModel::load+0x14b
0167d5d4 094fef2b 10c2f8e8 0167d63c 0167d644 
sfxmi!SfxViewShell::SfxViewShell+0x2496
0167d658 094ff062 b9e58806 0fa94e3c 0fa94e44 fwkmi!GetVersionInfo+0x6df2b
0167d69c 094f8a5d b9e5899a 00000001 00000001 fwkmi!GetVersionInfo+0x6e062
0:000:x86> r
eax=00000000 ebx=55555555 ecx=aaaaaac0 edx=00000000 esi=55555555 edi=0167978c
eip=10005c86 esp=0167975c ebp=01679764 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
sal3!rtl_uString_new_WithLength+0x2e:
10005c86 83600400        and     dword ptr [eax+4],0  ds:002b:00000004=????????

Here we control ecx and effect the registers ebx and esi.

sal3!rtl_uString_new_WithLength:
10005c58 55              push    ebp
10005c59 8bec            mov     ebp,esp
10005c5b 56              push    esi
10005c5c 8b750c          mov     esi,dword ptr [ebp+0Ch]
10005c5f 85f6            test    esi,esi
10005c61 7f0b            jg      sal3!rtl_uString_new_WithLength+0x16 (10005c6e)
10005c63 ff7508          push    dword ptr [ebp+8]
10005c66 e8d0ffffff      call    sal3!rtl_uString_new (10005c3b)
10005c6b 59              pop     ecx
10005c6c eb3a            jmp     sal3!rtl_uString_new_WithLength+0x50 (10005ca8)
10005c6e 57              push    edi
10005c6f 8b7d08          mov     edi,dword ptr [ebp+8]
10005c72 8b07            mov     eax,dword ptr [edi]
10005c74 85c0            test    eax,eax
10005c76 7407            je      sal3!rtl_uString_new_WithLength+0x27 (10005c7f)
10005c78 50              push    eax
10005c79 e887ffffff      call    sal3!rtl_uString_release (10005c05)
10005c7e 59              pop     ecx
10005c7f e84bf9ffff      call    sal3!rtl_ustr_toInt64+0xc2 (100055cf)
10005c84 8907            mov     dword ptr [edi],eax
10005c84 8907            mov     dword ptr [edi],eax
10005c86 83600400        and     dword ptr [eax+4],0  ds:002b:00000004=????????
10005c8a 8b3f            mov     edi,dword ptr [edi]
10005c8c 33c0            xor     eax,eax
10005c8e 0fb7d0          movzx   edx,ax
10005c91 83c708          add     edi,8
10005c94 8bc2            mov     eax,edx
10005c96 c1e210          shl     edx,10h
10005c99 0bc2            or      eax,edx
10005c9b 8d4e01          lea     ecx,[esi+1]

Comment 1 omair3030 2011-01-10 22:41:01 UTC

Created attachment 75529 [details]
attached the xls file

Comment 2 Marcus 2011-01-11 09:38:03 UTC

due to the rules no P1

Comment 3 Edwin Sharp 2014-01-15 14:50:35 UTC

Confirmed with
AOO410m1(Build:9750)  -  Rev. 1557669
2014-01-14_04:11:13 - Rev. 1557927
Debian

OK with Calligra Sheets 2.7.5