You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openoffice.apache.org by bu...@apache.org on 2014/04/11 17:16:55 UTC
[Issue 124661] New: crash when loading and re-saving attached ppt
file with a single customshape
https://issues.apache.org/ooo/show_bug.cgi?id=124661
Issue ID: 124661
Issue Type: DEFECT
Summary: crash when loading and re-saving attached ppt file
with a single customshape
Product: Impress
Version: 4.1.0-dev
Hardware: All
OS: All
Status: CONFIRMED
Severity: normal
Priority: P3
Component: save-export
Assignee: issues@openoffice.apache.org
Reporter: Armin.Le.Grand@me.com
Created attachment 83172
--> https://issues.apache.org/ooo/attachment.cgi?id=83172&action=edit
minimized exaple file causing the crash
To create the crash: Load attached ppt and save as (to be able to reuse the
file) also as ppt -> crash
Reason is that the contained single customshape seems to have a wrong
definition or is wrongly imported (not sure yet). The formula contains
references to object 196 (?196), but has only 150 definition lines. This leads
to mem accesses out of bound in ConvertEnhancedCustomShapeEquation. A first
change to avoid that already survives the crash, but does not yet identify the
root of the problem. Nonetheless, out of bound accesses are always good to
avoid.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #3 from SVN Robot <sv...@dev.null.org> ---
"alg" committed SVN revision 1586681 into trunk:
i124661 secure possible out of bound access to stl vector content
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #2 from Armin Le Grand <Ar...@me.com> ---
Checking the bounds and not accessing when out of bounds makes the save survive
and looks good in ppt. Added an assertion, too. Preparing commit of this 1st
change.
This is not yet fixed, but without the crash afetr that. Keep open due to
identifying the cause of this is needed.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #9 from SVN Robot <sv...@dev.null.org> ---
"steve_y" committed SVN revision 1587496 into trunk:
Issue 124661 - crash when loading and re-saving attached ppt file with a
sing...
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
Armin Le Grand <Ar...@me.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CONFIRMED |ACCEPTED
Latest|--- |4.1-dev
Confirmation on| |
Assignee|issues@openoffice.apache.or |Armin.Le.Grand@me.com
|g |
Target Milestone|--- |4.2.0
--- Comment #1 from Armin Le Grand <Ar...@me.com> ---
First is to avoid out of bound access, adding that...
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
Armin Le Grand <Ar...@me.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ACCEPTED |RESOLVED
Version|4.0.0 |4.1.0-dev
Resolution|--- |FIXED
--- Comment #18 from Armin Le Grand <Ar...@me.com> ---
To resolved, crash is fixed. Additional thanks to Steve Yin!
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #13 from Steve Yin <st...@gmail.com> ---
Hi Armin. Yes, agree with you.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
Steve Yin <st...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |steve.yin.aoo@gmail.com
--- Comment #4 from Steve Yin <st...@gmail.com> ---
Found a related issue: https://issues.apache.org/ooo/show_bug.cgi?id=112309
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #10 from Armin Le Grand <Ar...@me.com> ---
Hi steve, thanks for the fix. But why '128' ? Is there really a fixed limit for
PPT CustomShape formula equations? Shouldn't it be compared with the (hopefully
known) number of entries in the current formula, at least when that number is
less than 128...?
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
Rainer Bielefeld <ra...@bielefeldundbuss.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |regression
CC| |rainerbielefeld_ooo_qa@biel
| |efeldundbuss.de
Version|4.1.0-dev |4.0.0
--- Comment #15 from Rainer Bielefeld <ra...@bielefeldundbuss.de> ---
(a) already Reproducible with AOO 4.0.0
(b) Still worked without crash with
* server installation of "AOO 3.4.1 – German UI / German locale
[AOO341m1(Build:9593) - Rev.1372282]" on German WIN7 Home Premium
(64bit)",
own separate user profile
* sever installation of "OOo 3.3.0 English UI
/ German locale [OOO330m20 (Build 9567)]" on WIN7 Home Premium (64bit) DE
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #6 from Armin Le Grand <Ar...@me.com> ---
Hi Steve, thanks for the info. Hopefully you can find something, help always
appreciated. For reference, I checked with the minimal file and after re-export
to ppt and opening in MS ppt 2003 it looks okay, I can see no obvious
deformations/errors.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #8 from Steve Yin <st...@gmail.com> ---
Add the submit info here.
Revision: 1587496
Author: steve_y
Date: Tuesday, April 15, 2014 6:12:14 PM
Message:
Issue 124661 - crash when loading and re-saving attached ppt file with a single
customshape
check the equation array element number. If the number is greater than 128, the
equation array will not be imported.
----
Modified : /openoffice/trunk/main/filter/source/msfilter/msdffimp.cxx
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #5 from Steve Yin <st...@gmail.com> ---
I found Symphony made a partial fix on custom shape for PPT compatibility issue
before 2009. But I cannot get more information from the defect DB or related
developers. Keep going.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #11 from Steve Yin <st...@gmail.com> ---
Hi Armin. This limit is from [MS-ODRAW] (Office Drawing Binary File Format
Structure Specification). In its chapter 2.3.6.27, pGuides_complex. It said
that "pGuides_complex (variable): An IMsoArray record of SG records that
specifies a set of values that are used to define the geometry of this shape.
This array MUST NOT have more than 128 elements."
Maybe 128 equations for one custom shape is enough?
And I didn't see MSO 2010 applies the equations to the shape, I think it may
ignore the equations in some way when importing the sample file and keep them
when saving.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #7 from Steve Yin <st...@gmail.com> ---
@Armin: The exported file by AOO cannot show in MSO 2010.
I found another root cause. The number of equations (pGuides_complex) in the
sample file is 137. This value should not be exceed 128. I think the sample
file should be deemed with a bad equations array and should not apply these
equations to the shape when importing.
I tested on my local machine. The exporting file can be opened by MSO 2010
normally.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #14 from SVN Robot <sv...@dev.null.org> ---
"steve_y" committed SVN revision 1587823 into trunk:
Issue 124661 - crash when loading and re-saving attached ppt file with a
sing...
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #12 from Armin Le Grand <Ar...@me.com> ---
Hi Steve, thanks for the infos. I am surprised (well, not too much) that it was
defined to be limited from the start.
What I wanted to point at is that comparing to that is okay, but when only 20
entries are used, one referring 21 is already wrong, too (AFAIK). Would it not
be better to compare to the minimum of the limit of 128 and the (hopefully
known) number of entries in the current formula list in the fix?
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #17 from Steve Yin <st...@gmail.com> ---
Hi Armin. You're welcome. I did not find the place in AOO source code. I am
very suspicious of the sample file which may contains some incorrect equations
and the total number of its equations is also exceeding the limit. So I think
it should be simply dropped.
(In reply to Armin Le Grand from comment #16)
> Hi Steve, sorry for the hassle, I mixed up things. I thought you already
> found the place where the import of the malicious shape takes place, and
> there it would be possible to know the number of lines in the formula and to
> correct against that. Please ignore comment 12 and thanks for still
> enhancing the current fix!
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 124661] crash when loading and re-saving attached ppt file
with a single customshape
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124661
--- Comment #16 from Armin Le Grand <Ar...@me.com> ---
Hi Steve, sorry for the hassle, I mixed up things. I thought you already found
the place where the import of the malicious shape takes place, and there it
would be possible to know the number of lines in the formula and to correct
against that. Please ignore comment 12 and thanks for still enhancing the
current fix!
--
You are receiving this mail because:
You are watching all issue changes.