Issue 123870 - CRASH when open Particular.xls with chart
Summary: CRASH when open Particular.xls with chart
Alias: None
Product: Calc
Classification: Application
Component: open-import (show other issues)
Version: 3.4.0
Hardware: PC Windows, all
: P3 Major (vote)
Target Milestone: 4.1.0
Assignee: AOO issues mailing list
QA Contact: zhaoshzh
Keywords: crash
Depends on:
Reported: 2013-12-17 21:57 UTC by barrier.brown
Modified: 2017-05-20 10:35 UTC (History)
4 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: 4.1.0-dev
Developer Difficulty: ---

xls file with one very simple chart (11.50 KB, application/octet-stream)
2013-12-17 21:57 UTC, barrier.brown
no flags Details
Test Kit (14.58 KB, application/zip)
2013-12-18 07:15 UTC, Rainer Bielefeld
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description barrier.brown 2013-12-17 21:57:17 UTC
Created attachment 82124 [details]
xls file with one very simple chart

I created an xls file with charts in using oo. All seemed ok, but after some edits I could no longer open the file - it now crashes oo.
The original file has been modified to remove almost everything - all that remains is a single chart plotting one pair of points. This works ok using Excel, and was modified using Excel on another PC.
If the chart is removed and recreated, the file can be opened ok again.

I am running Windows 8.1 on a Samsung laptop with i5-3210M processor. The problem was seen on oo v4.0.0, then I updated to 4.0.1 and it's still seen.
Comment 1 Rainer Bielefeld 2013-12-18 05:54:35 UTC
Reproducible with "AOO 4.0.1   – German UI / German locale  [Rev. 1524958 2013-09-20 11:40:29]" on  German WIN7 Home Premium (64bit)", “historic”  4.0  User Profile used for all  predecessor versions

Modify Version due to report
Comment 2 Rainer Bielefeld 2013-12-18 06:11:15 UTC
(a) Already reproducible with  Pre-3.4.0 (OOo 3.3.0), but because of crippled  
    Version selector (Bug 123063) no useful info can be contributed
(b) Still Reproducible with server installation of "AOO 4.1.0-Dev – 
    English  UI / English locale - [AOO410m1(Build:9750)  -  Rev. 1546757 - 
    2013-12-02]" on German WIN7 Home Premium (64bit)", own separate user profile.
(c) No crash with OOo 3.1.1, but no Data range selected with that version
(d) no Crash with OOo 2.0.2, Data Range "$Error.$A$2:$B$2" with that version
(e) SoftMaker FreeOffice shows empty chart
(f) MS Excel Viewer opens document without problems, shows vertical line with
    length=10 at X=0
Comment 3 Rainer Bielefeld 2013-12-18 06:34:46 UTC
(g) LibO 4.1 does not crash, Chart looks like in MS EXCEL Viewer
Comment 4 Rainer Bielefeld 2013-12-18 07:15:29 UTC
Created attachment 82126 [details]
Test Kit

Attached Test Kit contains 3 Documents

(h) Mytest_NoGood_LibO4132.ods
    Has been createded from reporter's sample document using LibO
(i) Mytest_NoGood_LibO4132.xls
    Has been createded from Mytest_NoGood_LibO4132.ods sample document 
    using LibO
    AOO 4.1 will crash opening that document
(k) Mytest_NoGood_LibO4132OOO410.xls
    Has been createded from Mytest_NoGood_LibO4132.ods sample document 
    using AOO 4.1
    AOO 4.1 will NOT crash opening that document
(l) May be differences between both .xls help to find the vulnerability in
(m) Both .xls look fine in MS EXCEL Viewer
Comment 5 Armin Le Grand 2014-01-17 17:23:54 UTC
Taking a look. In StartEndListening::operator() a ScRange is created which has a nCol (column) set to -27541. This is later used as index to an array which crashes. Resetting it to null makes the load work (it's actually not the load but a XclImpChart::Convert which also sets the listeners to the corresponding chart cells).
Thus, ScRefTokenHelper::getRangeFromToken makes something wrong. Checking...
Comment 6 Armin Le Grand 2014-01-17 17:25:19 UTC
The ScSingleRefData the data is copied from is already wrong. Lets see where this is created...
Comment 7 Armin Le Grand 2014-01-17 17:31:03 UTC
ScSingleRefData has no constructor, so its not easy to see where it gets constructed. This also means that the members are not initialized (which may already be the problem). Who is writing classes like this..?
Comment 8 Armin Le Grand 2014-01-17 20:06:18 UTC
In ScSingleRefData the flags for relative col/row are set in the dangerous case, thus the absolute values nCol/nRow should not even be used, but they get used. There is also ScSingleRefData::CalcAbsIfRel which probably should be used on the instance before usage, it needs a const ScAddress&. This i snot available at the place where it goers wrong, so this should probably be appied before and relative to something that makes sense...
Comment 9 Armin Le Grand 2014-01-17 21:13:06 UTC
Tried different solutions:
- Added correctors to ScRefTokenHelper::getRangeFromToken to do CalcAbsIfRel if needed. Works, but I do not want to change that data. It hets called in running office, too, with relative entries but the absolute get used. Thus, adding an assertion there.
- Added initializers for the members of ScSingleRefData and ScComplexRefData in ExcelToSc8::ConvertExternName and ExcelToSc8::Convert. Also works, but shows that a initializing constructor would work sell, too.
- Added constructor to ScSingleRefData (will also work for ScComplexRefData whcih has two ScSingleRefData as members), this is probably the best thing to do.

Checking that solution...
Comment 10 Armin Le Grand 2014-01-17 22:28:02 UTC
Constructor did not work, it is used in various union constructs and does not simply allow a user-defined one; added a method InitMembers instead and use that at the according places. Also exchanged the assertion in getRangeFromToken to not check for relative flags (happens too often to really be wrong), but for validity of ranges of absolute values.
Checking this solution...
Comment 11 Armin Le Grand 2014-01-17 22:29:46 UTC
This works well and produces the correct result (cheched with MS stuff). Preparing commit...
Comment 12 SVN Robot 2014-01-17 22:32:32 UTC
"alg" committed SVN revision 1559272 into trunk:
i123870 corrected import values on xml import with chart, avoid uninitialized...
Comment 13 Armin Le Grand 2014-01-17 22:33:01 UTC
Okay, done.
Comment 14 zhaoshzh 2014-02-27 02:57:31 UTC
fixed on AOO410m1(build:9750) - rev:1566593
Comment 15 fanyuzhen 2014-02-27 10:28:04 UTC
Change status per Shao Zhi Zhao's comment 14