GNOME Bugzilla – Bug 627150
ODF import criticals
Last modified: 2010-08-17 17:00:00 UTC
Created attachment 168075 [details] Corrupted ods file The symbol warnings below are a small worry. ../src/ssconvert 'zzuftmp/mmm-5041.ods' /tmp/mmm3.gnumeric ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): CRITICAL **: gnm_cell_set_array_formula: assertion `col_b < gnm_sheet_get_max_cols (sheet)' failed ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): WARNING **: In colrow_reset_defaults, someone set maxima to 336732166 >= 256 ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): CRITICAL **: symbol_unref: assertion `sym != NULL' failed ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): CRITICAL **: symbol_unref: assertion `sym != NULL' failed [...] ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): CRITICAL **: symbol_unref: assertion `sym != NULL' failed ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): CRITICAL **: gnm_func_free: assertion `func->ref_count == 0' failed ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): CRITICAL **: symbol_unref: assertion `sym != NULL' failed [...] Leaking expression at 0x8a4ec8: A16777213:C16777215. Leaking expression at 0x8a4ee8: �r~(A16777213:C16777215). ** (/home/welinder/gnome-src/gnumeric/src/.libs/lt-ssconvert:12823): WARNING **: Leaked 2 nodes from expression pool for small nodes. Leaking 1 values. Leaking string [Mathematics] with ref_count=2. Leaking string [gnumeric-functions] with ref_count=1.
Make that a big worry. We're accessing freed memory. ==15831== ==15831== Invalid read of size 1 ==15831== at 0x538058B: go_ascii_strcase_hash (go-glib-extras.c:249) ==15831== by 0xA43457C: g_hash_table_lookup (in /usr/lib64/libglib-2.0.so.0.1600.3) ==15831== by 0x4EE4316: gnm_func_free (func.c:931) ==15831== by 0x4EE7697: shutdown_cat (func-builtin.c:414) ==15831== by 0x4EE76BF: func_builtin_shutdown (func-builtin.c:421) ==15831== by 0x4EE53ED: functions_shutdown (func.c:62) ==15831== by 0x4F0888C: gnm_shutdown (libgnumeric.c:331) ==15831== by 0x403F72: main (ssconvert.c:701) ==15831== Address 0xc18c008 is 0 bytes inside a block of size 6 free'd ==15831== at 0x4C2430F: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==15831== by 0x537F66C: go_slist_free_custom (go-glib-extras.c:154) ==15831== by 0x4F6A80E: plugin_service_function_group_finalize (gnm-plugin.c:49) ==15831== by 0x9DCB1D7: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.1600.3) ==15831== by 0x537F66C: go_slist_free_custom (go-glib-extras.c:154) ==15831== by 0x538DC4D: go_plugin_finalize (go-plugin.c:170) ==15831== by 0x9DCB1D7: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.1600.3) ==15831== by 0x537F66C: go_slist_free_custom (go-glib-extras.c:154) ==15831== by 0x538BECF: go_plugins_shutdown (go-plugin.c:1940) ==15831== by 0x4F0883F: gnm_shutdown (libgnumeric.c:319)
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report. Note that this issue could have also arisen with non-fuzzed files had array formulas existed stradling the edge of the current sheet size.