Apache OpenOffice (AOO) Bugzilla – Issue 123690
CRASH when decreasing color picker vertical size too much
Last modified: 2017-05-20 10:35:17 UTC
When resizing color picker drop-down, if the drop-down is made too small, Writer crashes. The size is dependent only on the vertical size. The horizontal size can be pushed to as small as it can go and it does not crash. But regardless of the horizontal size, when the vertical size is pushed to approximately when the blocks are too small to show the color, the program crashes.
I was able to replicate this issue using Apple iMac: AOO 4.0.0 [AOO400m3(Build:9702) - Rev. 1503704 2013-07-16 14:52:30 (Tues, 16 July 2013)] on iMac Mac OSX 10.6.8 Snow Leopard.
Nate Q. 11/14/2013 I was able to replicate this crash on Mac OS X 10.9 Build 13A603 using Open Office 4.0.1. The bug is not exclusive to writer and I was able to reproduce the same crash in every application where a color picker is used. To recreate the bug, I used any one of the font color, highlighting, or background color drop downs and resized the window vertically until the application crashed.
confirming crash with aoo401 on winxp
Reproducible with server installation of "AOO 4.1.0-Dev – English UI / English locale - [AOO410m1(Build:9750) - Rev. 1537973 - 2013-11-03]" on German WIN7 Home Premium (64bit)", own separate user profile: 1. From AOO start center open blank new Calc document using New Document icon 2. Long click on Character color icon in Standard Toolbar Color Picker appears 3. Move mouse pointer to bottom of dialog > Mouse pointer view changes to "resize" 4. Press left mouse button and move bottom dialog border upwards (3mm / s) CRASH when height becomes very small Additional info: (a) already Reproducible with server installation of "AOO 4.0.0-Dev – English UI / German locale [AOO400m1(Build:9700) – Rev.1476029 ((2013-04-26))]" on German WIN7 Home Premium (64bit)", own separate user profile (b) was still ok (simply all contents of picker disappears) with server installation of " AOO 4.0.0-Dev – English UI / German locale [AOO400m1(Build:9700) - Rev. 1457992 – Rev.1457606 ((2013-03-19))]" on German WIN7 Home Premium (64bit)", own separate user profile (c) Latest confirmation for AOO 4.1.0-dev, but because of incomplete LCo selector (Bug 123063) no correct information can be contributed.
confirming the crash - works in AOO 3.4.1, broken in AOO 4.0.0
taking over to work on a solution
Created attachment 82282 [details] patch to solve the crash The crash is triggered by method <createBlendFrame(..)> by calling <BitmapWriteAccess::SetPixel(..)> with inappropriate value for <y>. Due to the given comments regarding the values of <x> and <y> I identified the root cause: in case that <nH == 1> given statement <y == nH - 1> is not hold. @Armin: As you are the author of method BitmapEx createBlendFrame( const Size&, sal_uInt8, Color, Color, Color, Color ) I asking you for a review of the proposed patch.
Comment on attachment 82282 [details] patch to solve the crash wrong flag ;-) - the "+" should be given by the reviewer
ALG: Thanks for checking. Indeed, when nW and/or nH are 1, x and/or y can be 1, too, after the loops. This is about blending a frame on a bitmap, thus these cases represent a target bitmap with no right/bottom line to be set. Representing that in the method...
Adapted and checked, this could indeed happen for X and Y, but for X the probability to destroy something with the write access is much less due to the mem structure of bitmaps. Both are now prevented, stepped through both extremes. Grepping, preparing checkin...
Okay, done. Thanks for finding this!
"alg" committed SVN revision 1558424 into trunk: i123690 handle the extremes Width or Height equal one
*** Issue 124226 has been marked as a duplicate of this issue. ***
Verified on snapshot Rev.1566593, the defect was resolved.
Change defect status per Clarence Guo's comment
Verified on snapshot Rev.1573601, the defect was resolved.
*** Issue 124662 has been marked as a duplicate of this issue. ***