To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=116400 Issue #|116400 Summary|Memory corruption while loading an xls file Component|Spreadsheet Version|OOo 3.2.1 Platform|Unknown URL|http://hotfile.com/dl/95840230/3082434/9111.xls.html OS/Version|All Status|UNCONFIRMED Status whiteboard| Keywords| Resolution| Issue type|DEFECT Priority|P1 Subcomponent|viewing Assigned to|spreadsheet Reported by|omair3030
------- Additional comments from omair3...@openoffice.org Mon Jan 10 22:40:17 +0000 2011 ------- Tested on OpenOffice 3.2.1 build 9504 on WinXP/7 A specialy crafted file which has a corrupt MSODRAWING record of the excel file causes memory corruption. The byte corrupted is at address 0x641D of the attached file. Crash Details -------------- 0:000:x86> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 01679764 1000ad10 0167978c 55555555 0edaf4f0 sal3!rtl_uString_new_WithLength+0x2e 0167977c 0e5c7685 016797a0 016797a4 00000000 sal3!rtl_uStringbuffer_ensureCapacity+0x34 016797bc 0e5d5904 01679bb0 00000380 0edaf4f0 svxmsfiltermi!DffPropSet::GetPropertyString+0x5c 01679b9c 0e5d6bf7 0d691ce0 0edaf4f0 01679c3c svxmsfiltermi!SvxMSDffManager::ImportShape+0x1d67 01679bdc 0c5f60ea 0edaf4f0 01679c3c 01679c0c svxmsfiltermi!SvxMSDffManager::ImportObj+0x83 01679c30 0c5f68fc 0edaf4f0 00000000 01679ca4 scfiltmi!ScFilterCreate+0x647ba 01679c60 0c5f78ed 0edaf4f0 00003f82 0ed2bc40 scfiltmi!ScFilterCreate+0x64fcc 01679c90 0c5f7cec 0edaf4f0 00003f82 0edaf490 scfiltmi!ScFilterCreate+0x65fbd 01679cb4 0c5f7df4 0edaf4f0 0000005a 626dee96 scfiltmi!ScFilterCreate+0x663bc 01679cec 0c598281 626def46 0d5ac4ec 0d5ac4e0 scfiltmi!ScFilterCreate+0x664c4 01679d3c 0c59b018 626def0e 0ed2bbfa 0d5ac4e0 scfiltmi!ScFilterCreate+0x6951 01679d74 0c604ec8 0ee02ee8 0d5ac4e0 00040b08 scfiltmi!ScFilterCreate+0x96e8 01679e48 0c59225f 626dedb6 0eda0cd8 0edae650 scfiltmi!ScFilterCreate+0x73598 01679fcc 0df45961 0d5ac4e0 0d5ac4e0 053b8948 scfiltmi!ScFilterCreate+0x92f 0167d314 019e5c92 0eda0cd8 b91e45fe 034ceccb scmi!ScDocShell::ConvertFrom+0x11ee 0167d3f0 01a0ba0b 0eda0cd8 b91e425a 01e4fb64 sfxmi!SfxObjectShell::DoLoad+0xb4b 0167d454 01a42879 00da0cd8 0167d594 b91e43da sfxmi!SfxBaseModel::load+0x14b 0167d5d4 094fef2b 10c2f8e8 0167d63c 0167d644 sfxmi!SfxViewShell::SfxViewShell+0x2496 0167d658 094ff062 b9e58806 0fa94e3c 0fa94e44 fwkmi!GetVersionInfo+0x6df2b 0167d69c 094f8a5d b9e5899a 00000001 00000001 fwkmi!GetVersionInfo+0x6e062 0:000:x86> r eax=00000000 ebx=55555555 ecx=aaaaaac0 edx=00000000 esi=55555555 edi=0167978c eip=10005c86 esp=0167975c ebp=01679764 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 sal3!rtl_uString_new_WithLength+0x2e: 10005c86 83600400 and dword ptr [eax+4],0 ds:002b:00000004=???????? Here we control ecx and effect the registers ebx and esi. sal3!rtl_uString_new_WithLength: 10005c58 55 push ebp 10005c59 8bec mov ebp,esp 10005c5b 56 push esi 10005c5c 8b750c mov esi,dword ptr [ebp+0Ch] 10005c5f 85f6 test esi,esi 10005c61 7f0b jg sal3!rtl_uString_new_WithLength+0x16 (10005c6e) 10005c63 ff7508 push dword ptr [ebp+8] 10005c66 e8d0ffffff call sal3!rtl_uString_new (10005c3b) 10005c6b 59 pop ecx 10005c6c eb3a jmp sal3!rtl_uString_new_WithLength+0x50 (10005ca8) 10005c6e 57 push edi 10005c6f 8b7d08 mov edi,dword ptr [ebp+8] 10005c72 8b07 mov eax,dword ptr [edi] 10005c74 85c0 test eax,eax 10005c76 7407 je sal3!rtl_uString_new_WithLength+0x27 (10005c7f) 10005c78 50 push eax 10005c79 e887ffffff call sal3!rtl_uString_release (10005c05) 10005c7e 59 pop ecx 10005c7f e84bf9ffff call sal3!rtl_ustr_toInt64+0xc2 (100055cf) 10005c84 8907 mov dword ptr [edi],eax 10005c84 8907 mov dword ptr [edi],eax 10005c86 83600400 and dword ptr [eax+4],0 ds:002b:00000004=???????? 10005c8a 8b3f mov edi,dword ptr [edi] 10005c8c 33c0 xor eax,eax 10005c8e 0fb7d0 movzx edx,ax 10005c91 83c708 add edi,8 10005c94 8bc2 mov eax,edx 10005c96 c1e210 shl edx,10h 10005c99 0bc2 or eax,edx 10005c9b 8d4e01 lea ecx,[esi+1] --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@sc.openoffice.org For additional commands, e-mail: issues-h...@sc.openoffice.org --------------------------------------------------------------------- To unsubscribe, e-mail: allbugs-unsubscr...@openoffice.org For additional commands, e-mail: allbugs-h...@openoffice.org