[Libreoffice-bugs] [Bug 109331] crash on invalid basic macro

Tue Jul 25 19:13:24 UTC 2017

https://bugs.documentfoundation.org/show_bug.cgi?id=109331

--- Comment #6 from Julien Nabet <serval2412 at yahoo.fr> ---
1) Valgrind shows this (I added content of the code line):
==22847== Invalid read of size 4
==22847==    at 0xFC552BA: ErrorInfo::GetErrorCode() const (errinf.hxx:147)
ErrCode                 GetErrorCode() const { return nUserId; }

==22847==   by 0xFC53E58: ErrorHandler::HandleError(ErrCode, DialogMask)
(errinf.cxx:179)
if (pInfo->GetErrorCode() != ERRCODE_ABORT)

...
==22847==  Address 0x55c05a08 is 8 bytes inside a block of size 32 free'd
==22847==    at 0x4C2D2DB: operator delete(void*) (vg_replace_malloc.c:576)
==22847==    by 0xFC61178: StringErrorInfo::~StringErrorInfo() (errinf.hxx:171)
class SAL_WARN_UNUSED VCL_DLLPUBLIC StringErrorInfo : public DynamicErrorInfo

==22847==    by 0xFC5390F: ErrorHandler::GetErrorString(ErrCode,
rtl::OUString&) (errinf.cxx:107)
delete pInfo;

==22847==    by 0xFC53C89: ErrorHandler::HandleError(ErrCode, DialogMask)
(errinf.cxx:151)
if (ErrorHandler::GetErrorString(nErrCodeId, aErr))

So pInfo is invalid because we deleted it.

2) pInfo is retrieved with this line:
ErrorInfo *pInfo = ErrorInfo::GetErrorInfo(nErrCodeId);
(see https://opengrok.libreoffice.org/xref/core/vcl/source/window/errinf.cxx#99
+
https://opengrok.libreoffice.org/xref/core/vcl/source/window/errinf.cxx#118)

Here's the content of GetErrorInfo (in this same file):
272  ErrorInfo *ErrorInfo::GetErrorInfo(ErrCode nId)
273  {
274      if(nId.IsDynamic())
275          return ImplDynamicErrorInfo::GetDynamicErrorInfo(nId);
276      else
277          return new ErrorInfo(nId);
278  }

After having added some traces, it shows we enter in dynamic part.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20170725/16546150/attachment.html>