GNOME Bugzilla – Bug 568010
Colrow problems when loading sxc files
Last modified: 2009-02-22 00:35:12 UTC
Version: r17074 (+ the patch from Bug 326595, which should be unrelated) OS: Ubuntu Intrepid Steps to reproduce: - Download http://www.openoffice.org/nonav/issues/showattachment.cgi/921/oneif_256x256.sxc (from Issue 2800 in OO.org's Bugzilla) - Open and close the file Valgrind output: ==17588== Conditional jump or move depends on uninitialised value(s) ==17588== at 0x40828FB: row_calc_spans (cellspan.c:401) ==17588== by 0x40D3884: item_grid_draw (item-grid.c:441) ==17588== by 0x4538FE8: foo_canvas_group_draw (foo-canvas.c:1496) ==17588== by 0x4538FE8: foo_canvas_group_draw (foo-canvas.c:1496) ==17588== by 0x453C2C3: foo_canvas_expose (foo-canvas.c:2898) ==17588== by 0x4897035: (within /usr/lib/libgtk-x11-2.0.so.0.1400.4) ==17588== by 0x4F673C8: (within /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F68C4A: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F7ED3C: (within /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F8062A: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F80C25: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x49AC33D: (within /usr/lib/libgtk-x11-2.0.so.0.1400.4) ==17588== ==17588== Conditional jump or move depends on uninitialised value(s) ==17588== at 0x410C2A6: sheet_col_destroy (sheet.c:3413) ==17588== by 0x410C711: sheet_destroy_contents (sheet.c:3541) ==17588== by 0x4150652: workbook_dispose (workbook.c:113) ==17588== by 0x4F6AD17: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x415D206: wbcg_close_if_user_permits (wbc-gtk.c:1569) ==17588== by 0x415D484: wbc_gtk_close (wbc-gtk.c:1616) ==17588== by 0x4897035: (within /usr/lib/libgtk-x11-2.0.so.0.1400.4) ==17588== by 0x4F68C4A: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F7F5D7: (within /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F8062A: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F80C25: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x49AC33D: (within /usr/lib/libgtk-x11-2.0.so.0.1400.4) ==17588== ==17588== Conditional jump or move depends on uninitialised value(s) ==17588== at 0x410C772: sheet_destroy_contents (sheet.c:3548) ==17588== by 0x4150652: workbook_dispose (workbook.c:113) ==17588== by 0x4F6AD17: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x415D206: wbcg_close_if_user_permits (wbc-gtk.c:1569) ==17588== by 0x415D484: wbc_gtk_close (wbc-gtk.c:1616) ==17588== by 0x4897035: (within /usr/lib/libgtk-x11-2.0.so.0.1400.4) ==17588== by 0x4F68C4A: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F7F5D7: (within /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F8062A: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x4F80C25: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1800.2) ==17588== by 0x49AC33D: (within /usr/lib/libgtk-x11-2.0.so.0.1400.4) ==17588== by 0x48910AB: gtk_main_do_event (in /usr/lib/libgtk-x11-2.0.so.0.1400.4) Backtrace: Program received signal SIGSEGV, Segmentation fault.
+ Trace 211598
Thread 3067012864 (LWP 17825)
Created attachment 126604 [details] the sxc file from OpenOffice.org's Bugzilla
UMR happens when row=0 col=256
Created attachment 129068 [details] [review] Patch to try This ought to do the trick, if I understand things right.
I made colrow_reset_defaults catch any such attempt. That takes care of the crashing and weirdness independently of the patch above. --> lowering severity.
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.
It looks like the colrow_reset_defaults patch (r17152) has caused a regression. Steps to reproduce: - Download Attachment 20975 [details] (.sxc file from Bug 125604) - ssconvert attachment.sxc /tmp/foo.txt Valgrind output: ==31506== Invalid read of size 1 ==31506== at 0x4080245: gnm_cell_cleanout (cell.c:69) ==31506== by 0x410C5DB: cell_free (sheet.c:3266) ==31506== by 0x410CD2F: cb_remove_allcells (sheet.c:3484) ==31506== by 0x4FCF2A5: g_hash_table_foreach (ghash.c:1076) ==31506== by 0x410C0AD: sheet_cell_foreach (sheet.c:3094) ==31506== by 0x410CF18: sheet_destroy_contents (sheet.c:3536) ==31506== by 0x4150FC6: workbook_dispose (workbook.c:113) ==31506== by 0x4F6CD17: g_object_unref (gobject.c:2389) ==31506== by 0x804A069: convert (ssconvert.c:339) ==31506== by 0x804A2C1: main (ssconvert.c:402) ==31506== Address 0x73d3929 is 9 bytes inside a block of size 16 free'd ==31506== at 0x4024B4A: free (vg_replace_malloc.c:323) ==31506== by 0x4FE5C05: g_free (gmem.c:190) ==31506== by 0x40892C7: colrow_reset_defaults (colrow.c:1188) ==31506== by 0x75B8C28: oo_colrow_reset_defaults (openoffice-read.c:572) ==31506== by 0x75B8DD4: oo_table_end (openoffice-read.c:613) ==31506== by 0x45C85B6: gsf_xml_in_end_element (gsf-libxml.c:784) ==31506== by 0x4661559: (within /usr/lib/libxml2.so.2.6.32) ==31506== by 0x4669241: xmlParseElement (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46695DC: xmlParseContent (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46690F9: xmlParseElement (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46695DC: xmlParseContent (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46690F9: xmlParseElement (in /usr/lib/libxml2.so.2.6.32) ==31506== ==31506== Invalid write of size 1 ==31506== at 0x408024C: gnm_cell_cleanout (cell.c:69) ==31506== by 0x410C5DB: cell_free (sheet.c:3266) ==31506== by 0x410CD2F: cb_remove_allcells (sheet.c:3484) ==31506== by 0x4FCF2A5: g_hash_table_foreach (ghash.c:1076) ==31506== by 0x410C0AD: sheet_cell_foreach (sheet.c:3094) ==31506== by 0x410CF18: sheet_destroy_contents (sheet.c:3536) ==31506== by 0x4150FC6: workbook_dispose (workbook.c:113) ==31506== by 0x4F6CD17: g_object_unref (gobject.c:2389) ==31506== by 0x804A069: convert (ssconvert.c:339) ==31506== by 0x804A2C1: main (ssconvert.c:402) ==31506== Address 0x73d3929 is 9 bytes inside a block of size 16 free'd ==31506== at 0x4024B4A: free (vg_replace_malloc.c:323) ==31506== by 0x4FE5C05: g_free (gmem.c:190) ==31506== by 0x40892C7: colrow_reset_defaults (colrow.c:1188) ==31506== by 0x75B8C28: oo_colrow_reset_defaults (openoffice-read.c:572) ==31506== by 0x75B8DD4: oo_table_end (openoffice-read.c:613) ==31506== by 0x45C85B6: gsf_xml_in_end_element (gsf-libxml.c:784) ==31506== by 0x4661559: (within /usr/lib/libxml2.so.2.6.32) ==31506== by 0x4669241: xmlParseElement (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46695DC: xmlParseContent (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46690F9: xmlParseElement (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46695DC: xmlParseContent (in /usr/lib/libxml2.so.2.6.32) ==31506== by 0x46690F9: xmlParseElement (in /usr/lib/libxml2.so.2.6.32)