[Bug 169288] New: Multiple memory leak cases found by xlsfuzzer in libreoffice

bugzilla-daemon Thu, 06 Nov 2025 00:21:53 -0800

https://bugs.documentfoundation.org/show_bug.cgi?id=169288


            Bug ID: 169288
           Summary: Multiple memory leak cases found by xlsfuzzer in
                    libreoffice
           Product: LibreOffice
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: LibreOffice
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 203760
  --> https://bugs.documentfoundation.org/attachment.cgi?id=203760&action=edit
./xlsfuzzer leak

Multiple memory leak cases found by xlsfuzzer in latest version of libreoffice
(https://github.com/LibreOffice/core.git), over 16,000 allocations.

The partial result of ASAN:
=================================================================
==164255==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13200 byte(s) in 50 object(s) allocated from:
    #0 0x55556f37b93d in operator new(unsigned long)
/src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:109:35
    #1 0x555582c46bf7 in o3tl::cow_wrapper<ImplFont,
o3tl::UnsafeRefCountingPolicy>::make_unique()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2d6f2bf7)
    #2 0x555582c1d977 in o3tl::cow_wrapper<ImplFont,
o3tl::UnsafeRefCountingPolicy>::operator->()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2d6c9977)
    #3 0x555582c1efc1 in vcl::Font::SetStyleName(rtl::OUString const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2d6cafc1)
    #4 0x5555816bd23c in OutputDevice::GetFontMetric() const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2c16923c)
    #5 0x555581d072d6 in
SalLayoutGlyphsCache::CachedGlyphsKey::CachedGlyphsKey(VclPtr<OutputDevice
const> const&, rtl::OUString, int, int, long)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2c7b32d6)
    #6 0x555581cfda3f in
SalLayoutGlyphsCache::GetLayoutGlyphs(VclPtr<OutputDevice const> const&,
rtl::OUString const&, int, int, long, vcl::text::TextLayoutCache const*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2c7a9a3f)
    #7 0x555579a11524 in GetTextArray(OutputDevice const*, rtl::OUString
const&, std::__1::vector<double, std::__1::allocator<double>>*, int, int)
svxfont.cxx
    #8 0x555579a12f4b in SvxFont::QuickGetTextSize(OutputDevice const*,
rtl::OUString const&, int, int, std::__1::vector<double,
std::__1::allocator<double>>*, bool) const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x244bef4b)
    #9 0x55557969917e in ImpEditEngine::CreateLines(int, unsigned int)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2414517e)
    #10 0x555579688e06 in
ImpEditEngine::FormatParagraphs(o3tl::sorted_vector<int, std::__1::less<int>,
o3tl::find_unique>&, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24134e06)
    #11 0x55557968668d in ImpEditEngine::FormatDoc()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2413268d)
    #12 0x555579685da0 in ImpEditEngine::FormatAndLayout(EditView*, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24131da0)
    #13 0x5555797178cb in ImpEditEngine::SetUpdateLayout(bool, EditView*, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x241c38cb)
    #14 0x5555793ea270 in EditEngine::SetUpdateLayout(bool, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x23e96270)
    #15 0x555579c68952 in Outliner::SetUpdateLayout(bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24714952)
    #16 0x55557e13a7e2 in
SdrObjCustomShape::AdjustTextFrameWidthAndHeight(tools::Rectangle&, bool, bool)
const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28be67e2)
    #17 0x55557e13e5ac in SdrObjCustomShape::ImpCalculateTextFrame(bool, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28bea5ac)
    #18 0x55557e13f300 in
SdrObjCustomShape::NbcAdjustTextFrameWidthAndHeight(bool, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28beb300)
    #19 0x55557e494591 in SdrTextObj::NbcMirror(Point const&, Point const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28f40591)
    #20 0x55557e1230a9 in SdrObjCustomShape::NbcMirror(Point const&, Point
const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28bcf0a9)
    #21 0x555572e93f75 in ScDrawLayer::SetCellAnchoredFromPosition(SdrObject&,
ScDocument const&, short, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1d93ff75)
    #22 0x55556f833ab5 in XclImpDffConverter::FinalizeObj(DffObjData&,
SdrObject*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2dfab5)
    #23 0x55557a289fc8 in SvxMSDffManager::ImportShape(DffRecordHeader const&,
SvStream&, SvxMSDffClientData&, tools::Rectangle&, tools::Rectangle const&,
int, int*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24d35fc8)
    #24 0x55557a26b6cb in SvxMSDffManager::ImportObj(SvStream&,
SvxMSDffClientData&, tools::Rectangle&, tools::Rectangle const&, int, int*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24d176cb)
    #25 0x55556f837966 in XclImpDffConverter::ProcessShContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2e3966)
    #26 0x55556f8370e2 in XclImpDffConverter::ProcessShGrContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2e30e2)
    #27 0x55556f827763 in XclImpDffConverter::ProcessDgContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2d3763)
    #28 0x55556f826dc3 in XclImpDffConverter::ProcessDrawing(SvStream&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2d2dc3)
    #29 0x55556f847586 in
XclImpDrawing::ImplConvertObjects(XclImpDffConverter&, SdrModel&, SdrPage&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2f3586)

Direct leak of 2000 byte(s) in 50 object(s) allocated from:
    #0 0x55556f37b93d in operator new(unsigned long)
/src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:109:35
    #1 0x555581cf5b08 in SalLayoutGlyphsImpl::clone() const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2c7a1b08)
    #2 0x555581fcede4 in GenericSalLayout::GetGlyphs() const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2ca7ade4)
    #3 0x555581d01220 in
SalLayoutGlyphsCache::GetLayoutGlyphs(VclPtr<OutputDevice const> const&,
rtl::OUString const&, int, int, long, vcl::text::TextLayoutCache const*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2c7ad220)
    #4 0x555579a11524 in GetTextArray(OutputDevice const*, rtl::OUString
const&, std::__1::vector<double, std::__1::allocator<double>>*, int, int)
svxfont.cxx
    #5 0x555579a12f4b in SvxFont::QuickGetTextSize(OutputDevice const*,
rtl::OUString const&, int, int, std::__1::vector<double,
std::__1::allocator<double>>*, bool) const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x244bef4b)
    #6 0x55557969917e in ImpEditEngine::CreateLines(int, unsigned int)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2414517e)
    #7 0x555579688e06 in
ImpEditEngine::FormatParagraphs(o3tl::sorted_vector<int, std::__1::less<int>,
o3tl::find_unique>&, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24134e06)
    #8 0x55557968668d in ImpEditEngine::FormatDoc()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2413268d)
    #9 0x555579685da0 in ImpEditEngine::FormatAndLayout(EditView*, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24131da0)
    #10 0x5555797178cb in ImpEditEngine::SetUpdateLayout(bool, EditView*, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x241c38cb)
    #11 0x5555793ea270 in EditEngine::SetUpdateLayout(bool, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x23e96270)
    #12 0x555579c68952 in Outliner::SetUpdateLayout(bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24714952)
    #13 0x55557e13a7e2 in
SdrObjCustomShape::AdjustTextFrameWidthAndHeight(tools::Rectangle&, bool, bool)
const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28be67e2)
    #14 0x55557e13e5ac in SdrObjCustomShape::ImpCalculateTextFrame(bool, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28bea5ac)
    #15 0x55557e13f300 in
SdrObjCustomShape::NbcAdjustTextFrameWidthAndHeight(bool, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28beb300)
    #16 0x55557e494591 in SdrTextObj::NbcMirror(Point const&, Point const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28f40591)
    #17 0x55557e1230a9 in SdrObjCustomShape::NbcMirror(Point const&, Point
const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28bcf0a9)
    #18 0x555572e93f75 in ScDrawLayer::SetCellAnchoredFromPosition(SdrObject&,
ScDocument const&, short, bool)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1d93ff75)
    #19 0x55556f833ab5 in XclImpDffConverter::FinalizeObj(DffObjData&,
SdrObject*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2dfab5)
    #20 0x55557a289fc8 in SvxMSDffManager::ImportShape(DffRecordHeader const&,
SvStream&, SvxMSDffClientData&, tools::Rectangle&, tools::Rectangle const&,
int, int*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24d35fc8)
    #21 0x55557a26b6cb in SvxMSDffManager::ImportObj(SvStream&,
SvxMSDffClientData&, tools::Rectangle&, tools::Rectangle const&, int, int*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24d176cb)
    #22 0x55556f837966 in XclImpDffConverter::ProcessShContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2e3966)
    #23 0x55556f8370e2 in XclImpDffConverter::ProcessShGrContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2e30e2)
    #24 0x55556f827763 in XclImpDffConverter::ProcessDgContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2d3763)
    #25 0x55556f826dc3 in XclImpDffConverter::ProcessDrawing(SvStream&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2d2dc3)
    #26 0x55556f847586 in
XclImpDrawing::ImplConvertObjects(XclImpDffConverter&, SdrModel&, SdrPage&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2f3586)
    #27 0x55556f84c54e in
XclImpSheetDrawing::ConvertObjects(XclImpDffConverter&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2f854e)
    #28 0x55556f852938 in XclImpObjectManager::ConvertObjects()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2fe938)
    #29 0x55556f4b5420 in ImportExcel::PostDocLoad()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19f61420)

Direct leak of 396 byte(s) in 10 object(s) allocated from:
    #0 0x55556f342d74 in malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3
    #1 0x555587f3d89a in _rtl_uString* rtl::str::Alloc<_rtl_uString>(int)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x329e989a)
    #2 0x555587f3f9dc in void rtl::str::newFromStr_WithLength<_rtl_uString,
char16_t>(_rtl_uString**, char16_t const*, int, int)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x329eb9dc)
    #3 0x555587fb69c6 in rtl_uString_newFromStr_WithLength
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x32a629c6)
    #4 0x55556fe7e48b in
rtl::OUString::OUString(std::__1::basic_string_view<char16_t,
std::__1::char_traits<char16_t>>)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a92a48b)
    #5 0x555579c7899b in Outliner::SetText(rtl::OUString const&, Paragraph*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x2472499b)
    #6 0x55557e4280c9 in SdrTextObj::NbcSetText(rtl::OUString const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x28ed40c9)
    #7 0x55556f7d0bbf in XclImpTextObj::DoPreProcessSdrObj(XclImpDffConverter&,
SdrObject&) const
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a27cbbf)
    #8 0x55556f7ab938 in
XclImpDrawObjBase::PreProcessSdrObject(XclImpDffConverter&, SdrObject&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a257938)
    #9 0x55556f830a7e in XclImpDffConverter::ProcessObj(SvStream&, DffObjData&,
SvxMSDffClientData&, tools::Rectangle&, SdrObject*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2dca7e)
    #10 0x55557a288e61 in SvxMSDffManager::ImportShape(DffRecordHeader const&,
SvStream&, SvxMSDffClientData&, tools::Rectangle&, tools::Rectangle const&,
int, int*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24d34e61)
    #11 0x55557a26b6cb in SvxMSDffManager::ImportObj(SvStream&,
SvxMSDffClientData&, tools::Rectangle&, tools::Rectangle const&, int, int*)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x24d176cb)
    #12 0x55556f837966 in XclImpDffConverter::ProcessShContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2e3966)
    #13 0x55556f8370e2 in XclImpDffConverter::ProcessShGrContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2e30e2)
    #14 0x55556f827763 in XclImpDffConverter::ProcessDgContainer(SvStream&,
DffRecordHeader const&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2d3763)
    #15 0x55556f826dc3 in XclImpDffConverter::ProcessDrawing(SvStream&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2d2dc3)
    #16 0x55556f847586 in
XclImpDrawing::ImplConvertObjects(XclImpDffConverter&, SdrModel&, SdrPage&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2f3586)
    #17 0x55556f84c54e in
XclImpSheetDrawing::ConvertObjects(XclImpDffConverter&)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2f854e)
    #18 0x55556f852938 in XclImpObjectManager::ConvertObjects()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x1a2fe938)
    #19 0x55556f4b5420 in ImportExcel::PostDocLoad()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19f61420)
    #20 0x55556f3dee69 in ImportExcel8::PostDocLoad()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19e8ae69)
    #21 0x55556f52554b in ImportExcel8::Read()
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19fd154b)
    #22 0x55556f395f91 in ScFormatFilterPluginImpl::ScImportExcel(SfxMedium&,
ScDocument*, EXCIMPFORMAT)
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19e41f91)
    #23 0x55556f3a0cec in TestImportXLS
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19e4ccec)
    #24 0x55556f383d46 in LLVMFuzzerTestOneInput
(/home/xuhanxiang/project/oss-fuzz/build/out/libreoffice/xlsfuzzer+0x19e2fd46)
    #25 0x55556f25c5ad in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
    #26 0x55556f247432 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
    #27 0x55556f24d300 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
    #28 0x55556f277e02 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #29 0x7ffff7c75d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
.....

SUMMARY: AddressSanitizer: 3387140 byte(s) leaked in 16509 allocation(s).


Usage

./xlsfuzzer leak


Credit
Hanxiang Xu（Huazhong University Of Science And Technology）
Zesen Ye（Cyber Kunlun）
Zhiniang Peng（Huazhong University Of Science And Technology）

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 169288] New: Multiple memory leak cases found by xlsfuzzer in libreoffice

Reply via email to