GNOME Bugzilla – Bug 575981
Invalid writes in ods chart code
Last modified: 2009-03-19 17:31:26 UTC
Version: r17223 OS: Ubuntu Intrepid The upcoming attachment was created by converting Attachment 104226 [details] (fuzzed .xls file from Bug 513787) to .ods format with OpenOffice.org 3.0.1. Steps to reproduce: - Import the upcoming .ods attachment Valgrind log: ==14353== Invalid write of size 4 ==14353== at 0x7E05A5C: od_style_prop_chart (openoffice-read.c:1769) ==14353== by 0x7E05DF7: oo_style_prop (openoffice-read.c:1808) ==14353== by 0x45B9E38: push_child (gsf-libxml.c:602) ==14353== by 0x45B9F4A: lookup_child (gsf-libxml.c:639) ==14353== by 0x45BA287: gsf_xml_in_start_element (gsf-libxml.c:709) ==14353== by 0x465AECA: xmlParseStartTag (parser.c:7715) ==14353== by 0x465B197: xmlParseElement (parser.c:9041) ==14353== by 0x465B5DC: xmlParseContent (parser.c:8952) ==14353== by 0x465B0F9: xmlParseElement (parser.c:9122) ==14353== by 0x465B5DC: xmlParseContent (parser.c:8952) ==14353== by 0x465B0F9: xmlParseElement (parser.c:9122) ==14353== by 0x465B5DC: xmlParseContent (parser.c:8952) ==14353== Address 0x933aa40 is 0 bytes inside a block of size 16 free'd ==14353== at 0x4024B4A: free (vg_replace_malloc.c:323) ==14353== by 0x4FD6C05: g_free (gmem.c:190) ==14353== by 0x7E079D2: oo_chart_style_free (openoffice-read.c:2460) ==14353== by 0x4FC064A: g_hash_table_remove_node (ghash.c:204) ==14353== by 0x4FC06B4: g_hash_table_remove_all_nodes (ghash.c:231) ==14353== by 0x4FC1389: g_hash_table_remove_all (ghash.c:919) ==14353== by 0x4FC14DC: g_hash_table_destroy (ghash.c:644) ==14353== by 0x7E06A10: od_draw_object (openoffice-read.c:2060) ==14353== by 0x45B9E38: push_child (gsf-libxml.c:602) ==14353== by 0x45B9F4A: lookup_child (gsf-libxml.c:639) ==14353== by 0x45BA287: gsf_xml_in_start_element (gsf-libxml.c:709) ==14353== by 0x465AECA: xmlParseStartTag (parser.c:7715) ==14353== ==14353== Invalid write of size 4 ==14353== at 0x7E05A65: od_style_prop_chart (openoffice-read.c:1770) ==14353== by 0x7E05DF7: oo_style_prop (openoffice-read.c:1808) ==14353== by 0x45B9E38: push_child (gsf-libxml.c:602) ==14353== by 0x45B9F4A: lookup_child (gsf-libxml.c:639) ==14353== by 0x45BA287: gsf_xml_in_start_element (gsf-libxml.c:709) ==14353== by 0x465AECA: xmlParseStartTag (parser.c:7715) ==14353== by 0x465B197: xmlParseElement (parser.c:9041) ==14353== by 0x465B5DC: xmlParseContent (parser.c:8952) ==14353== by 0x465B0F9: xmlParseElement (parser.c:9122) ==14353== by 0x465B5DC: xmlParseContent (parser.c:8952) ==14353== by 0x465B0F9: xmlParseElement (parser.c:9122) ==14353== by 0x465B5DC: xmlParseContent (parser.c:8952) ==14353== Address 0x933aa44 is 4 bytes inside a block of size 16 free'd ==14353== at 0x4024B4A: free (vg_replace_malloc.c:323) ==14353== by 0x4FD6C05: g_free (gmem.c:190) ==14353== by 0x7E079D2: oo_chart_style_free (openoffice-read.c:2460) ==14353== by 0x4FC064A: g_hash_table_remove_node (ghash.c:204) ==14353== by 0x4FC06B4: g_hash_table_remove_all_nodes (ghash.c:231) ==14353== by 0x4FC1389: g_hash_table_remove_all (ghash.c:919) ==14353== by 0x4FC14DC: g_hash_table_destroy (ghash.c:644) ==14353== by 0x7E06A10: od_draw_object (openoffice-read.c:2060) ==14353== by 0x45B9E38: push_child (gsf-libxml.c:602) ==14353== by 0x45B9F4A: lookup_child (gsf-libxml.c:639) ==14353== by 0x45BA287: gsf_xml_in_start_element (gsf-libxml.c:709) ==14353== by 0x465AECA: xmlParseStartTag (parser.c:7715)
Created attachment 130978 [details] ods file
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.