Issue 120250 - Crash while opening RTF file
Summary: Crash while opening RTF file
Alias: None
Product: Writer
Classification: Application
Component: open-import (show other issues)
Version: 3.4.0
Hardware: All All
: P2 Normal (vote)
Target Milestone: 4.0.0
Assignee: Andre
QA Contact:
Keywords: regression
: 120291 (view as issue list)
Depends on:
Reported: 2012-07-11 07:25 UTC by Andrea Pescetti
Modified: 2013-07-11 08:14 UTC (History)
4 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---
doneyourself: 4.0.0_release_blocker?

Crashes OpenOffice 3.4, works on 3.3 (418.94 KB, application/octetstream)
2012-07-11 07:25 UTC, Andrea Pescetti
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description Andrea Pescetti 2012-07-11 07:25:42 UTC
Created attachment 78624 [details]
Crashes OpenOffice 3.4, works on 3.3

Opening (or scrolling to the second page) the attached RTF file leads to a crash in OpenOffice 3.4 while it works normally in 3.3.

Tested on OpenOffice 3.4 with a clean profile and all QA best practices (clean install and so on).

The file is from a public domain repository of classic books and all RTF files downloaded from there seem to be affected. 

[ Credits: reported by Italian users on the Italian forum/newsgroups ]
Comment 1 Kay 2013-06-08 23:12:18 UTC
Is there any other information on this particular document? Yes, it does crash on the second page with AOO 4.0 also. I don't have OOo3.3 to test.
Comment 2 Andrea Pescetti 2013-06-15 21:58:41 UTC
OpenOffice 400m2 still crashes on these RTF files (all the files I tested from the site, but specifically the file attached to this issue will crash).

If this can help, this is what gdb tells me (I can provide the full output if useful) when I open the RTF file and scroll to page 2, thus causing the crash:

$ gdb /.../openoffice4/program/soffice.bin 
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x00007fffcc853c53 in SwIndex::SwIndex(SwIndexReg*, unsigned short) () from /.../openoffice4/program/../program/
Comment 3 Andre 2013-06-18 15:18:53 UTC
Debugging on Windows revealed the crash happening in sw/source/core/bastyp/index.cxx:94 where SwIndexReg object is accessed with empty pLast member.
Comment 4 Andre 2013-06-18 15:31:10 UTC
Looks like SwIndexReg members pFirst and pLast are expected to be both NULL or both non-NULL.  Therefore only pFirst is checked to be non-NULL in index.cxx:92.
But in the crash pFirst is non-NULL, and thus passes the test, but pLast is still NULL and triggers the crash when accessed anyway.  Looks like the doubly linked list is not properly initialized/managed.
Comment 5 Andre 2013-06-18 15:41:01 UTC
*** Issue 120291 has been marked as a duplicate of this issue. ***
Comment 6 Andre 2013-06-20 13:26:11 UTC
Taking over.
Comment 7 Andre 2013-06-21 08:07:04 UTC
The doubly linked list SwIndexReg is not well implemented.  The problem that causes the crash is the removal of items from the list.  It does not handle the case when an item is the last element in the list and pFirst and pLast pointers have both be reset.  There is another problem with items being removed from lists in which they are not a member.

Fixed both problems but more probably remain.  It would probably be best to reimplement SwIndex/SwIndexReg.

Fixed in revision 1495315.
Comment 8 Andrea Pescetti 2013-06-25 17:17:48 UTC
Thank Andre, works with the latest daily snapshot. Closing.
Comment 9 2013-07-11 08:14:51 UTC
Updated target to release that will contain the fix.