[PATCH] fdo#47436: FILEOPEN: Writer crashes when it opens an odt file produced by JasperReport

Dézsi Szabolcs <dezsiszabi -AT- hotmail.com>
Fri, 20 Apr 2012 00:51:28 +0200


Hi!

https://bugs.freedesktop.org/show_bug.cgi?id=47436

Hi!

editeng/source/items/frmitems.cxx:1954

1951:   for (int n(0); n != SAL_N_ELEMENTS(aBorders); ++n)
1952:   {
1953:       editeng::SvxBorderLine* pLine = const_cast< editeng::SvxBorderLine*

( GetLine( aBorders[n] ) );

1954:       pLine->SetStyle( eBorderStyle );
1956:   }

Here pLine is a NULL pointer, so calling its member function (SetStyle) causes
SIGSEGV.

aBorders is just an array with 4 elements: { BOX_LINE_LEFT, BOX_LINE_RIGHT, BOX_LINE_BOTTOM, 
BOX_LINE_TOP }
GetLine returns pLeft, pTop, pRight, pBottom. All of these are NULL pointers in this case.
These get their values in sw/source/core/unocore/unoframe.cxx (from line 370)

370:    const ::uno::Any* pLeft        = 0;
371:    GetProperty(RES_BOX, LEFT_BORDER  |CONVERT_TWIPS,    pLeft  );

pLeft remains NULL after this (and pTop, pRight, pBottom too)

so these:
396:    SvxBoxItem aBox ( static_cast < const :: SvxBoxItem & > ( rFromSet.Get ( RES_BOX ) ) );
397:    if( pLeft )
398:        bRet &= ((SfxPoolItem&)aBox).PutValue(*pLeft, CONVERT_TWIPS|LEFT_BORDER );
are not executed, and aBox's pLeft (etc) members remain NULLs.
but this:
415:    if( pLineStyle )
416:        bRet &= ((SfxPoolItem&)aBox).PutValue(*pLineStyle, LINE_STYLE);
gets executed, and this has a call to pLine->SetStyle (line 1954 mentioned earlier)

Putting 'if( pLine )' before line 1954 causes LO to load the document.

PS.: Like on bug's page. It isn't sure that the odt is valid, but it shouldn't crash anyway.

Szabolcs

From 13cd12140c9b5f345c720c4aa9fb7e17885f02e9 Mon Sep 17 00:00:00 2001
From: Szabolcs Dezsi <dezsiszabi@hotmail.com>
Date: Fri, 20 Apr 2012 00:45:35 +0200
Subject: [PATCH] Workaround for Bug 47436, Crash while opening odt file

---
 editeng/source/items/frmitems.cxx |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/editeng/source/items/frmitems.cxx b/editeng/source/items/frmitems.cxx
index 3cca643..0098af0 100644
--- a/editeng/source/items/frmitems.cxx
+++ b/editeng/source/items/frmitems.cxx
@@ -1951,7 +1951,8 @@ bool SvxBoxItem::PutValue( const uno::Any& rVal, sal_uInt8 nMemberId )
                 for (int n(0); n != SAL_N_ELEMENTS(aBorders); ++n)
                 {
                     editeng::SvxBorderLine* pLine = const_cast< editeng::SvxBorderLine* >( 
GetLine( aBorders[n] ) );
-                    pLine->SetStyle( eBorderStyle );
+                    if( pLine )
+                        pLine->SetStyle( eBorderStyle );
                 }
                 return sal_True;
             }
-- 
1.7.7

Context

[PATCH] fdo#47436: FILEOPEN: Writer crashes when it opens an odt file produced by JasperReport · Dézsi Szabolcs
- Re: [Pushed] [PATCH] fdo#47436: FILEOPEN: Writer crashes when it opens an odt file produced by JasperReport · Muthu Subramanian K

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.