Apache OpenOffice (AOO) Bugzilla – Issue 119502
[From Symphony][Crash]When save the file as ppt, AOO crashes
Last modified: 2012-12-26 08:10:42 UTC
Build info: AOO3.4_1327774 Steps: 1 Open the sample file 2 Save the file as a ppt 3 An error message pops up.
Created attachment 77722 [details] sample file
I am checking this defect.
Created attachment 78079 [details] simple sample file which can reproduced this defect
Created attachment 78080 [details] the shape screenshots which cause export crash
Created attachment 78081 [details] the shape description in content.xml
Root cause: In attach simple sample file, the shape which named customshape3 have the path "M ?f0 ?f0 L ?f0 ?f0 ?f0 ?f0 ?f0 ?f0 Z N" which contian "?f0"parameter, and "?f0" parameter have not been defined, so the vector of equation parameter order is empty, read vector directly without adjudgement when export, and crash occur. Solution: add adjudgement before read vector.
Created attachment 78228 [details] patch for ppt shape export crash
Reviewing.
Two remarks/questions: 1) The attached patch fixes the crash for nValue==0. There may be other cases where nValue is outside valid bounds. I would suggest a little modification, something like: OSL_ASSERT(nValue < rEquationOrder.size()); if (nValue < rEquationOrder.size()) { nValue = (sal_uInt16)rEquationOrder[ nValue ]; nValue |= (sal_uInt32)0x80000000; } 2) Regarding the root cause: is the document broken, or the code that interprets the path description. If it is the second then we need a fix there.
I think the root cause is the first. because the sample file has a path which contian "?f0" parameter, and "?f0" parameter have not been defined, but in the ODF standard, the parameter must defined,So it is document problem. The following is enhanced path and parameter definition in ODF standard. The definition for "Enhanced Path" is that the draw:enhanced-path attribute specifies a path similar to the svg:d attribute of the <svg:path> element. Instructions such as moveto, lineto, arcto and other instructions together with its parameter are describing the geometry of a shape which can be filled and or stroked. A parameter can also have one of the following enhancements: 1.A “?” is used to mark the beginning of a formula name. The result of the element's draw:formula attribute is used as parameter value in this case. 2. If “$” is preceding a integer value, the value is a indexing a draw:modifiers attribute. The corresponding modifier value is used as parameter value then.
I fixed the crash for rEquationOrder.size() == 0 and nValue >=0, and not for nValue == 0. we should fixed the nValue is outside valid bounds. I would like modify the code like the following: OSL_ASSERT(rEquationOrder.size()!=0); OSL_ASSERT(nValue < rEquationOrder.size()); if (rEquationOrder.size()!=0 && nValue < rEquationOrder.size()) { nValue = (sal_uInt16)rEquationOrder[ nValue ]; nValue |= (sal_uInt32)0x80000000; } pls review again.
I'm so sorry for my following mistake, Andre's suggestion is right, I will adopt his comments. (In reply to comment #11) > I fixed the crash for rEquationOrder.size() == 0 and nValue >=0, and not for > nValue == 0. we should fixed the nValue is outside valid bounds. I would > like modify the code like the following: > OSL_ASSERT(rEquationOrder.size()!=0); OSL_ASSERT(nValue < > rEquationOrder.size()); if (rEquationOrder.size()!=0 && nValue < > rEquationOrder.size()) { nValue = (sal_uInt16)rEquationOrder[ nValue > ]; nValue |= (sal_uInt32)0x80000000; } pls review again.
Created attachment 78242 [details] patch for ppt shape export crash update patch
Commited the new patch. Thanks for the good work. SVN revision is 1349163.
verified in r1350879 on windows 7