Apache OpenOffice (AOO) Bugzilla – Issue 99526
Using "up" to position salulation in mail merge wizard can place it out of range and crash
Last modified: 2013-08-07 14:44:00 UTC
If you press up more than 19 times in the mail merge wizard (e.g. 25 times) then the salutation will be placed at a offset of -25 added to 19 in an unsigned calculation, i.e. resulting in a massive 32bit number which is out of range of the document, which may crash horribly. Attached is a fix to the mailmerge wizard to only record successful up attempts to clip it to the valid amount, and a patch to the MoveParagraph to fail on an invalid up amount
Created attachment 60382 [details] patch to fix out of range in mailmerge wizard salutation move upwards
for reference, here's the valgrind trace ==18035== Use of uninitialised value of size 4 ==18035== at 0x44C78C5: BigPtrArray::Index2Block(unsigned long) const (bparr.cxx:199) ==18035== by 0x44C78EF: BigPtrArray::operator[](unsigned long) const (bparr.cxx:147) ==18035== by 0x42D6C7A: SwDoc::MoveParagraph(SwPaM const&, long, unsigned char) (ndarr.hxx:141) ==18035== by 0x41A0A47: SwEditShell::MoveParagraph(long) (ednumber.cxx:388) ==18035== by 0x12505930: SwMailMergeLayoutPage::InsertGreeting(SwWrtShell&, SwMailMergeConfigItem&, bool) (mmlayoutpage.cxx:515) ==18035== by 0x125073E2: SwMailMergeLayoutPage::InsertAddressAndGreeting(SwView*, SwMailMergeConfigItem&, Point const&, bool) (mmlayoutpage.cxx:306) ==18035== by 0x125074A7: SwMailMergeLayoutPage::commitPage(svt::WizardTypes::CommitPageReason) (mmlayoutpage.cxx:278) ==18035== by 0x65D44A2: svt::OWizardMachine::prepareLeaveCurrentState(svt::WizardTypes::CommitPageReason) (in /usr/lib/openoffice.org/basis3.0/program/libsvtli.so) ==18035== by 0x65D48F7: svt::OWizardMachine::travelNext() (in /usr/lib/openoffice.org/basis3.0/program/libsvtli.so) ==18035== by 0x65D49AD: (within /usr/lib/openoffice.org/basis3.0/program/libsvtli.so) ==18035== by 0x60522BA: Control::ImplCallEventListenersAndHandler(unsigned long, Link const&, void*) (in /usr/lib/openoffice.org/basis3.0/program/libvclli.so) ==18035== by 0x604753D: Button::Click() (in /usr/lib/openoffice.org/basis3.0/program/libvclli.so) ==18035== ==18035== Invalid read of size 4 ==18035== at 0x44C78C5: BigPtrArray::Index2Block(unsigned long) const (bparr.cxx:199) ==18035== by 0x44C78EF: BigPtrArray::operator[](unsigned long) const (bparr.cxx:147) ==18035== by 0x42D6C7A: SwDoc::MoveParagraph(SwPaM const&, long, unsigned char) (ndarr.hxx:141) ==18035== by 0x41A0A47: SwEditShell::MoveParagraph(long) (ednumber.cxx:388) ==18035== by 0x12505930: SwMailMergeLayoutPage::InsertGreeting(SwWrtShell&, SwMailMergeConfigItem&, bool) (mmlayoutpage.cxx:515) ==18035== by 0x125073E2: SwMailMergeLayoutPage::InsertAddressAndGreeting(SwView*, SwMailMergeConfigItem&, Point const&, bool) (mmlayoutpage.cxx:306) ==18035== by 0x125074A7: SwMailMergeLayoutPage::commitPage(svt::WizardTypes::CommitPageReason) (mmlayoutpage.cxx:278) ==18035== by 0x65D44A2: svt::OWizardMachine::prepareLeaveCurrentState(svt::WizardTypes::CommitPageReason) (in /usr/lib/openoffice.org/basis3.0/program/libsvtli.so)
Oliver, please take over
Integrated into cws os130
Reassigned for verification
Verified with os130 without crash
Also no Crash in cws os130a
Verified in DEV300m52 Closing
Sorry this issue was wrongly closed. This issue will be reopened automatically. And will be set after that back to fixed/verified.
Set to state 'fixed'.
Set back to state 'verified/fixed'. Again. Sorry for the mass of mails.
closed, integrated m52