17343 – XMLShapeStyleContext::FillPropertySet has invalid memory access

Issue 17343 - XMLShapeStyleContext::FillPropertySet has invalid memory access

Summary: XMLShapeStyleContext::FillPropertySet has invalid memory access

Status:	CLOSED FIXED

Alias:	None

Product:	xml
Classification:	Code
Component:	code (show other issues)
Version:	OOo 1.1 RC
Hardware:	PC Linux, all

Importance:	P2 Trivial (vote)
Target Milestone:	OOo 2.0
Assignee:	wolframgarten
QA Contact:	issues@xml

URL:
Keywords:	oooqa

Depends on:
Blocks:

Reported:	2003-07-24 06:33 UTC by dankegel
Modified:	2004-04-28 10:28 UTC (History)
CC List:	3 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	---
Developer Difficulty:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description dankegel 2003-07-24 06:33:49 UTC

See http://kegel.com/openoffice/issue-14425.txt
and http://kegel.com/openoffice/issue-17280.txt
for two different stack dumps both reporting similar
problem in FillPropertySet when loading a document.

It would be interesting to know if this was actually
the cause of the crashes reported in issue 14425 and issue 17280.

Comment 1 dankegel 2003-07-24 06:34:23 UTC

Adding keywords

Comment 2 dankegel 2003-07-24 23:01:09 UTC

Julian Seward hisself sent me a valgrind log from issue
14425 made with a debugging copy of OOo1.1rc so it has source code
line numbers.  That might help anyone trying to analyze this
without running valgrind themselves.  It's at 
http://kegel.com/openoffice/jseward-14425.txt

I'm raising the priority of this to P2 since it seems to be
implicated in two real-world crashes.

Comment 3 thorsten.ziehm 2003-07-28 08:41:19 UTC

Both are sxi-files. So I set this task to Christian.

Comment 4 marc.neumann 2003-07-28 10:19:00 UTC

send to the developer

Comment 5 clippka 2003-07-28 11:51:24 UTC

evaluating this

Comment 6 marc.neumann 2003-07-28 12:32:50 UTC

set target to 2.0, because the stacks are not showing the root cause
of the crash, however we will investigate it further.

Comment 7 clippka 2003-07-28 12:52:38 UTC

Thorsten, can you please verify this with valgrind on linux? I had a
look at the code and think its a false alarm, but we have to be sure

Comment 8 thb 2003-07-28 14:48:33 UTC

Okay, I'll take a look.

Comment 9 Unknown 2003-07-28 23:56:49 UTC

The invalid memory access in question is a size-2 read,   
of an address 8 bytes before the start of some block.  
This happens at at xmlprmap.hxx line 185:  
  
   /** returns the entry context id */  
   const sal_Int16 GetEntryContextId( sal_Int32 nIndex ) const  
   {  
     return aMapEntries[nIndex].nContextId;  <-- line 185  
   }  
  
Can someone who knows the code add an assertion that nIndex  
is valid at this point?  I think it's highly likely that  
nIndex is out of range (-1, perhaps) and that's what's giving  
rise to the invalid read.  This causes garbage to be read from  
memory and returned to the caller (some kind of search loop  
at XMLShapeStyleContext.cxx:188).

Comment 10 matthias.huetsch 2003-07-29 10:30:10 UTC

Hi Julian, Thorsten,

I think Julian is probably right here, it looks like an 'array index
out of bounds' error. With the used container, std::vector<>, instead
of 'std::vector<>::operator[]()' (index access) assertion code could
use 'std::vector<>::at()' throwing a 'std::out_of_range' exception:

Thus, instead of

  return aMapEntries[nIndex].nContextId;

one could write:

try
{
  return aMapEntries.at(nIndex).nContextId;
}
catch (std::out_of_range)
{
  assert (0);
  return <invalid_context_id_whatever_that_may_be>;
}

Don't know whether it's easier to leave out the try-catch block and
just wait for an unhandled / unexpected exception to terminate the
process. The 'risk' is in someone silently catching this exception
away so that it may go unnoticed.

Hope that helps,
Matthias

Comment 11 thb 2003-07-29 12:42:36 UTC

Julian, Matthias, 

thanks for tracking that down. But I think I'll just assert the 
error condition here, don't know if calling code is even exception-aware.

Comment 12 matthias.huetsch 2003-07-29 16:18:19 UTC

Hi Thorsten,

Well, my code proposal was only meant for bug hunting (assertions), not
for production code. As I understand this case, we have two bugdocs that
trigger this issue, so it should be possible (for testing purposes) to
understand and verify what goes wrong here.

IMHO, the root cause seems to be in a design that requires the
contents of two containers to be in sync all the time, where one
container holds indices into another one. But of course that's only a
guess.

ATM, I'm more interested in whether 'valgrind's complaints can be
verified, so that we either can develop trust in 'valgrind' (and don't
argue about each issue it reports) or give Julian a change to improve
his tool. Having already verified a few issues, my current guess is
that it's the former case.

Matthias

Comment 13 dankegel 2003-07-31 19:30:54 UTC

If the OOo developer team decides it trusts Valgrind,
it would probably make sense to clear out a few of the most
frequently occurring Valgrind errors before release of
OOo1.1.  That'll make Valgrind logs easier to wade throgh,
and might even fix some user-visible bugs...

Comment 14 thb 2003-09-12 19:02:40 UTC

Christian, looks like this is for real. Please take over again.

Comment 15 clippka 2003-09-15 11:03:36 UTC

Will try to reproduce it, if not I just leave the assertion in

Comment 16 dankegel 2003-09-15 16:38:01 UTC

Hi Christian,
if you have any trouble reproducing using Valgrind, please
let me know.

BTW last I checked, the crash reporter didn't handle assertions
properly...

Comment 17 matthias.huetsch 2003-10-28 10:18:22 UTC

Removed nonsense dependency (issue 21786 depending on this one).

Comment 18 clippka 2004-03-11 15:02:50 UTC

The root cause for this where some loop inside xmloff that iterate over a set of
XMLPropertyState and then asked via GetEntryContextId() for a possible context
id and used the mnIndex member from the XMLPropertyState as an index. But the
mnIndex member is also used with a -1 to mark a XMLPropertyState that is now
invalid. So I added a skip into all loops for this case.

I also made the code more failsafe and added the assertion "illegal access to
invalid entry!" in case someone uses an invalid index in GetEntryContextId(),
GetEntryAPIName(),  GetEntryXMLName() , GetEntryNameSpace(), GetEntryType() and
GetEntryFlags()

Comment 19 dankegel 2004-03-11 16:46:44 UTC

Fabulous.  Is the fix safe enough to backport to OOo 1.1.1 or 1.1.2?

Comment 20 clippka 2004-03-11 17:13:42 UTC

In theorie it is safe, but if we plan to implement this fix in OOo 1.1.2, I
would suggest just to add the failsafe modification to GetEntryContextId() that
silently returns a 0 when called with the common invalid index -1. I would not
touch any of the faulty loops for a patch.

Comment 21 clippka 2004-03-16 09:39:28 UTC

For testing, please export a wide range of documents and make sure the new
assertion "illegal access to invalid entry!" does not pop up.
Since this is no plattform dependend fix, its ok to just check it under the
build windows nonpro

Comment 22 wolframgarten 2004-03-26 11:45:39 UTC

Set to fixed.

Comment 23 wolframgarten 2004-03-29 11:22:00 UTC

Verified in CWS.

Comment 24 wolframgarten 2004-04-28 10:28:49 UTC

Tested in master. Closed.