Created attachment 87651 [details] files that can be used to reproduce the crash Problem description: Program received signal SIGSEGV, Segmentation fault. std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffffffb478, __str= <error reading variable: Cannot access memory at address 0x29>) at /usr/src/debug/gcc-4.7.2/obj-x86_64-tizen-linux/x86_64-tizen-linux/libstdc++-v3/include/bits/basic_string.tcc:175 A number of files that can be used to reproduce the crash can be found in the attached crash_files.zip archive. The files were generated by fuzzing valid files, in order to check for problems when libreoffice handles malformed input. The bug was found while testing Libreoffice version 4.0.1.2, but it is persistent in version 4.1.2.3 Steps to reproduce: 1. Open libreoffice with gdb attached 2. Open the files from crash_files.zip A gdb backtrace example of opening one of the files can be found here: https://docs.google.com/file/d/0Bw_O6opVYHaaYVIwRlNOMkJfOUk/edit?usp=sharing Operating System: Ubuntu Version: 4.1.2.3 rc
caolanm->dtardon/fridrich sf_4fb158660a71837695cd1e9d0e1d7ecb-117200.odt is a crash in libcdr
sf_bffbd306787fea717b1aa5a207854c99-298-minimized.odt is libvisio
Clearly we should not dereference iterator unless we know it is valid... This is actually just one crash, as the same zip-reading code has been reused at several places.
Btw, the crash in libcdr has already been fixed by libcdr-0.0.14, which has been in libreoffice for quite some time. @Alexandru: I applaud your effort trying to make libreoffice filters more reliable, but it would be much better if you worked with master branch.
David Tardon committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=f2422ab90d92104915b93e96f647a89bbf55ad30 fdo#70480 do not crash reading malformed zip The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
David Tardon committed a patch related to this issue. It has been pushed to "libreoffice-4-1": http://cgit.freedesktop.org/libreoffice/core/commit/?id=f295f47b1549a39c0113f4ca3eb0d8bb14844cac&h=libreoffice-4-1 fdo#70480 do not crash reading malformed zip It will be available in LibreOffice 4.1.4. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.