Bug#761226: libreoffice-writer: Segmentation fault on special document content/input
Package: libreoffice-writer
Version: 1:4.3.1-1
Severity: important
Dear Maintainer,
libreoffice-writer will segfault when a file contains content such as:
(1)(2)(3)aa
This can be in an existing file being opened, or simply typed or pasted into a
blank document.
Variations I've tried that also trigger the segfault:
- Adding spaces around (before, between, and after) the parenthesized values.
- changing the 1,2,3 values to any other numbers.
- adding more numbers (parenthesized or not) between "(3)" and "aa".
Variations that avoid the segfault:
- Changing any of the 1,2,3 values to non-numeric values.
- Making the trailing content consist of a single letter. (The segfault occurs
in the original example only when something follows the first "a".)
- Prior content on the line. e.g. a line with "a(1)(2)(3)aa" seems okay.
- Making the trailing content consist only of numbers (whether or not
parenthesized). Neither "(1)(1)(1) 42 56 12345" nor "(1)(1)(1)(42)" trigger
the segfault, but "(1)(1)(1) 42 56 12345 aa" does.
A backtrace is attached.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libreoffice-writer depends on:
ii libabw-0.1-1 0.1.0-2
ii libc6 2.19-10
ii libe-book-0.1-1 0.1.1-2
ii libgcc1 1:4.9.1-13
ii libicu52 52.1-5
ii libmwaw-0.3-3 0.3.1-2
ii libodfgen-0.1-1 0.1.1-2
ii libreoffice-base-core 1:4.3.1-1
ii libreoffice-core 1:4.3.1-1
ii librevenge-0.0-0 0.0.1-3
ii libstdc++6 4.9.1-13
ii libwpd-0.10-10 0.10.0-2
ii libwpg-0.3-3 0.3.0-3
ii libwps-0.3-3 0.3.0-2
ii libxml2 2.9.1+dfsg1-4
ii uno-libs3 4.3.1-1
ii ure 4.3.1-1
ii zlib1g 1:1.2.8.dfsg-2
Versions of packages libreoffice-writer recommends:
pn libreoffice-math <none>
Versions of packages libreoffice-writer suggests:
ii default-jre [java5-runtime] 2:1.7-52
ii fonts-crosextra-caladea 20130214-1
pn fonts-crosextra-carlito <none>
ii libreoffice-base 1:4.3.1-1
pn libreoffice-gcj <none>
ii libreoffice-java-common 1:4.3.1-1
ii openjdk-7-jre [java5-runtime] 7u65-2.5.2-3
Versions of packages libreoffice-core depends on:
ii fontconfig 2.11.0-6.1
ii fonts-opensymbol 2:102.6+LibO4.3.1-1
ii libatk1.0-0 2.12.0-1
ii libboost-date-time1.55.0 1.55.0+dfsg-2
ii libc6 2.19-10
ii libcairo2 1.12.16-5
ii libclucene-contribs1 2.3.3.4-4
ii libclucene-core1 2.3.3.4-4
ii libcmis-0.4-4 0.4.1-7
ii libcups2 1.7.5-1
ii libcurl3-gnutls 7.38.0-1
ii libdbus-1-3 1.8.6-2
ii libdbus-glib-1-2 0.102-1
ii libeot0 0.01-3
ii libexpat1 2.1.0-6
ii libexttextcat-2.0-0 3.4.4-1
ii libfontconfig1 2.11.0-6.1
ii libfreetype6 2.5.2-1.1
ii libgcc1 1:4.9.1-13
ii libgdk-pixbuf2.0-0 2.30.8-1
ii libgl1-mesa-glx [libgl1] 10.2.6-1
ii libglew1.10 1.10.0-3
ii libglib2.0-0 2.40.0-5
ii libgltf-0.0-0 0.0.0-2
ii libglu1-mesa [libglu1] 9.0.0-2
ii libgraphite2-3 1.2.4-3
ii libgtk2.0-0 2.24.24-1
ii libharfbuzz-icu0 0.9.35-1
ii libharfbuzz0b 0.9.35-1
ii libhunspell-1.3-0 1.3.3-2
ii libhyphen0 2.8.7-3
ii libice6 2:1.0.9-1
ii libicu52 52.1-5
ii libjpeg8 8d1-1
ii liblangtag1 0.5.1-2
ii liblcms2-2 2.6-3
ii libldap-2.4-2 2.4.39-1.1+b1
ii libmythes-1.2-0 2:1.2.4-1
ii libneon27-gnutls 0.30.0-4
ii libnspr4 2:4.10.7-1
ii libnss3 2:3.17-1
ii libnss3-1d 2:3.17-1
ii libodfgen-0.1-1 0.1.1-2
ii libpango-1.0-0 1.36.7-1
ii libpangocairo-1.0-0 1.36.7-1
ii libpangoft2-1.0-0 1.36.7-1
ii libpng12-0 1.2.50-2
ii librdf0 1.0.17-1+b1
ii libreoffice-common 1:4.3.1-1
ii librevenge-0.0-0 0.0.1-3
ii libsm6 2:1.2.2-1
ii libssl1.0.0 1.0.1i-2
ii libstdc++6 4.9.1-13
ii libx11-6 2:1.6.2-3
ii libxext6 2:1.3.2-1
ii libxinerama1 2:1.1.3-1
ii libxml2 2.9.1+dfsg1-4
ii libxrandr2 2:1.4.2-1
ii libxrender1 1:0.9.8-1
ii libxslt1.1 1.1.28-2
ii libxt6 1:1.1.4-1
ii uno-libs3 4.3.1-1
ii ure 4.3.1-1
ii zlib1g 1:1.2.8.dfsg-2
-- no debconf information
GNU gdb (Debian 7.7.1+dfsg-3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/libreoffice/program/soffice.bin...Reading symbols from /usr/lib/debug//usr/lib/libreoffice/program/soffice.bin...done.
done.
(gdb) set pagination 0
(gdb) run --writer
Starting program: /usr/lib/libreoffice/program/soffice.bin --writer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe7652700 (LWP 9339)]
[New Thread 0x7fffe12b8700 (LWP 9340)]
[New Thread 0x7fffe0ab7700 (LWP 9341)]
[New Thread 0x7fffda5cd700 (LWP 9342)]
[New Thread 0x7fffcffff700 (LWP 9344)]
[Thread 0x7fffe12b8700 (LWP 9340) exited]
[New Thread 0x7fffe12b8700 (LWP 9345)]
[New Thread 0x7fffc4a8e700 (LWP 9348)]
[New Thread 0x7fffbeea3700 (LWP 9349)]
[Thread 0x7fffbeea3700 (LWP 9349) exited]
[New Thread 0x7fffbeea3700 (LWP 9350)]
[Thread 0x7fffbeea3700 (LWP 9350) exited]
[Thread 0x7fffc4a8e700 (LWP 9348) exited]
[New Thread 0x7fffc4a8e700 (LWP 9351)]
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3182edb in ScriptRun::next (this=this@entry=0x7fffffff8be0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/generic/glyphs/scrptrun.cxx:148
148 /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/generic/glyphs/scrptrun.cxx: No such file or directory.
(gdb) bt
#0 0x00007ffff3182edb in ScriptRun::next (this=this@entry=0x7fffffff8be0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/generic/glyphs/scrptrun.cxx:148
#1 0x00007ffff317f2ca in HbLayoutEngine::layout (this=0x1a17cb0, rLayout=..., rArgs=...) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/generic/glyphs/gcach_layout.cxx:388
#2 0x00007ffff2f8145a in OutputDevice::ImplLayout (this=0x15f3030, rOrigStr=..., nMinIndex=0, nLen=14, rLogicalPos=Point = {...}, nLogicalWidth=<optimized out>, pDXArray=0x0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/outdev/text.cxx:1289
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x19:
#3 0x00007ffff2f81754 in OutputDevice::GetTextArray (this=0x15f3030, rStr=<error reading variable: Cannot access memory at address 0x19>, pDXAry=0x0, nIndex=13, nLen=14) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/outdev/text.cxx:992
#4 0x00007fffceb651cc in SwFntObj::GetTextSize (this=0x7fffd8e12060, rInf=...) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/txtnode/fntcache.cxx:1973
#5 0x00007fffceb80484 in SwSubFont::_GetTxtSize (this=0x1a470d0, rInf=...) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/txtnode/swfont.cxx:1090
#6 0x00007fffceaf5fb6 in _GetTxtSize (rInf=..., this=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/inc/swfont.hxx:359
#7 SwTxtSizeInfo::GetTxtSize (this=this@entry=0x7fffffffa720, pSI=pSI@entry=0x7fffd8dfd080, nIndex=0, nLength=nLength@entry=14, nComp=nComp@entry=0, nMinSize=@0x7fffffff95d0: 0, nMaxSizeDiff=@0x7fffffff94c8: 2) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/inftxt.cxx:400
#8 0x00007fffceaf3760 in SwTxtGuess::Guess (this=this@entry=0x7fffffff95b0, rPor=..., rInf=..., nPorHeight=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/guess.cxx:125
#9 0x00007fffceb2b8fd in SwTxtPortion::_Format (this=0x7fffd8dfd000, rInf=...) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/portxt.cxx:303
#10 0x00007fffceb0bddc in SwTxtFormatter::BuildPortions (this=this@entry=0x7fffffffa910, rInf=...) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/itrform2.cxx:535
#11 0x00007fffceb0cff3 in SwTxtFormatter::FormatLine (this=this@entry=0x7fffffffa910, nStartPos=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/itrform2.cxx:1545
#12 0x00007fffceae6680 in SwTxtFrm::FormatLine (this=this@entry=0x7fffd8e0c000, rLine=..., bPrev=bPrev@entry=false) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/frmform.cxx:1126
#13 0x00007fffceaeb8a4 in SwTxtFrm::_Format (this=this@entry=0x7fffd8e0c000, rLine=..., rInf=..., bAdjust=bAdjust@entry=false) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/frmform.cxx:1488
#14 0x00007fffceaec704 in SwTxtFrm::_Format (this=this@entry=0x7fffd8e0c000, pPara=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/frmform.cxx:1662
#15 0x00007fffceaed94e in SwTxtFrm::Format (this=0x7fffd8e0c000) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/text/frmform.cxx:1809
#16 0x00007fffcea14dab in SwCntntFrm::MakeAll (this=0x7fffd8e0c000) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/layout/calcmove.cxx:1330
#17 0x00007fffcea1297f in SwFrm::PrepareMake (this=0x7fffd8e0c000) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/layout/calcmove.cxx:337
#18 0x00007fffcea49391 in SwLayAction::_TurboAction (this=this@entry=0x7fffffffb6b0, pCnt=0x7fffd8e0c000) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/layout/layact.cxx:824
#19 0x00007fffcea496aa in SwLayAction::TurboAction (this=0x7fffffffb6b0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/layout/layact.cxx:878
#20 0x00007fffcea4b1ed in SwLayAction::Action (this=this@entry=0x7fffffffb6b0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/layout/layact.cxx:356
#21 0x00007fffced5e995 in SwViewShell::ImplEndAction (this=this@entry=0x16c6ae0, bIdleEnd=bIdleEnd@entry=false) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/view/viewsh.cxx:249
#22 0x00007fffce82c65b in EndAction (bIdleEnd=false, this=0x16c6ae0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/inc/viewsh.hxx:600
#23 SwCrsrShell::EndAction (this=this@entry=0x16c6ae0, bIdleEnd=bIdleEnd@entry=false) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/crsr/crsrsh.cxx:251
#24 0x00007fffce9a4b82 in SwEditShell::EndAllAction (this=this@entry=0x16c6ae0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/edit/edws.cxx:87
#25 0x00007fffce98e844 in SwEditShell::Insert2 (this=this@entry=0x16c6ae0, rStr="s", bForceExpandHints=bForceExpandHints@entry=false) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/edit/editsh.cxx:159
#26 0x00007fffcf0762af in SwWrtShell::Insert (this=this@entry=0x16c6ae0, rStr="s") at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/uibase/wrtsh/wrtsh1.cxx:226
#27 0x00007fffceeef876 in SwEditWin::FlushInBuffer (this=this@entry=0x16b8500) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/uibase/docvw/edtwin.cxx:942
#28 0x00007fffceef716e in SwEditWin::KeyInput (this=0x16b8500, rKEvt=...) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/sw/source/core/uibase/docvw/edtwin.cxx:2636
#29 0x00007ffff2eecf58 in ImplHandleKey (pWindow=0x1548ce0, nSVEvent=<optimized out>, nKeyCode=<optimized out>, nCharCode=115, nRepeat=<optimized out>, bForward=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/winproc.cxx:1034
#30 0x00007ffff2eef88d in ImplWindowFrameProc (pWindow=0x1548ce0, nEvent=13, pEvent=0x7fffffffc9b0) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/winproc.cxx:2324
#31 0x00007fffe63d8762 in CallCallback (pEvent=0x7fffffffc9b0, nEvent=5, this=0x1549460) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/inc/salframe.hxx:243
#32 GtkSalFrame::doKeyCallback (this=0x1549460, state=0, keyval=<optimized out>, hardware_keycode=<optimized out>, group=<optimized out>, time=<optimized out>, aOrigCode=115, bDown=true, bSendRelease=true) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/unx/gtk/window/gtksalframe.cxx:477
#33 0x00007fffe63d9d03 in GtkSalFrame::IMHandler::signalIMCommit (pText=<optimized out>, im_handler=0x1a07720) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/unx/gtk/window/gtksalframe.cxx:4263
#34 0x00007fffeea22080 in g_cclosure_marshal_VOID__STRINGv () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#35 0x00007fffeea1f644 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#36 0x00007fffeea39b07 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#37 0x00007fffeea3a9ba in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#38 0x00007fffeea22080 in g_cclosure_marshal_VOID__STRINGv () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#39 0x00007fffeea1f644 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#40 0x00007fffeea39b07 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#41 0x00007fffeea3a9ba in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#42 0x00007fffd861f5b4 in ?? () from /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/immodules/im-xim.so
#43 0x00007fffe5b40ad3 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#44 0x00007fffe63da0ac in GtkSalFrame::IMHandler::handleKeyEvent (this=0x1a07720, pEvent=pEvent@entry=0x7fffd0003070) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/unx/gtk/window/gtksalframe.cxx:4127
#45 0x00007fffe63da2e5 in GtkSalFrame::signalKey (pEvent=0x7fffd0003070, frame=0x1549460) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/unx/gtk/window/gtksalframe.cxx:3747
#46 0x00007fffe5b5701f in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#47 0x00007fffeea1f415 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#48 0x00007fffeea319dc in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#49 0x00007fffeea39d16 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#50 0x00007fffeea3a46f in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#51 0x00007fffe5c6740c in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#52 0x00007fffe5b5584f in gtk_propagate_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#53 0x00007fffe5b55beb in gtk_main_do_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#54 0x00007fffe57cf03c in ?? () from /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0
#55 0x00007ffff1b91ecd in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#56 0x00007ffff1b921b8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#57 0x00007ffff1b9226c in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#58 0x00007fffe63b9007 in GtkData::Yield (this=0x63f3d0, bWait=<optimized out>, bHandleAllCurrentEvents=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/unx/gtk/app/gtkdata.cxx:575
#59 0x00007ffff30dface in ImplYield (i_bAllEvents=false, i_bWait=true) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/app/svapp.cxx:359
#60 Application::Yield () at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/app/svapp.cxx:391
#61 0x00007ffff30dfb65 in Application::Execute () at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/app/svapp.cxx:340
#62 0x00007ffff7933775 in desktop::Desktop::Main (this=0x7fffffffdf80) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/desktop/source/app/app.cxx:1682
#63 0x00007ffff30e4732 in ImplSVMain () at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/app/svmain.cxx:155
#64 0x00007ffff30e4762 in SVMain () at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/app/svmain.cxx:188
#65 0x00007ffff79564d5 in soffice_main () at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/desktop/source/app/sofficemain.cxx:85
#66 0x000000000040071b in sal_main () at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/desktop/source/app/main.c:48
#67 main (argc=<optimized out>, argv=<optimized out>) at /build/libreoffice-Xeqp7W/libreoffice-4.3.1/desktop/source/app/main.c:47
Reply to: