[PATCH] fdo#47436: FILEOPEN: Writer crashes when it opens an odt file produced by JasperReport

Dézsi Szabolcs Thu, 19 Apr 2012 15:52:16 -0700

Hi!

https://bugs.freedesktop.org/show_bug.cgi?id=47436


Hi!

editeng/source/items/frmitems.cxx:1954

1951:   for (int n(0); n != SAL_N_ELEMENTS(aBorders); ++n)
1952:   {
1953:       editeng::SvxBorderLine* pLine = const_cast< editeng::SvxBorderLine*
>( GetLine( aBorders[n] ) );
1954:       pLine->SetStyle( eBorderStyle );
1956:   }

Here pLine is a NULL pointer, so calling its member function (SetStyle) causes
SIGSEGV.

aBorders is just an array with 4 elements: { BOX_LINE_LEFT, BOX_LINE_RIGHT, 
BOX_LINE_BOTTOM, BOX_LINE_TOP }
GetLine returns pLeft, pTop, pRight, pBottom. All of these are NULL pointers in 
this case.
These get their values in sw/source/core/unocore/unoframe.cxx (from line 370)

370:    const ::uno::Any* pLeft        = 0;
371:    GetProperty(RES_BOX, LEFT_BORDER  |CONVERT_TWIPS,    pLeft  );

pLeft remains NULL after this (and pTop, pRight, pBottom too)

so these:
396:    SvxBoxItem aBox ( static_cast < const :: SvxBoxItem & > ( rFromSet.Get 
( RES_BOX ) ) );
397:    if( pLeft )
398:        bRet &= ((SfxPoolItem&)aBox).PutValue(*pLeft, 
CONVERT_TWIPS|LEFT_BORDER );
are not executed, and aBox's pLeft (etc) members remain NULLs.
but this:
415:    if( pLineStyle )
416:        bRet &= ((SfxPoolItem&)aBox).PutValue(*pLineStyle, LINE_STYLE);
gets executed, and this has a call to pLine->SetStyle (line 1954 mentioned 
earlier)

Putting 'if( pLine )' before line 1954 causes LO to load the document.

PS.: Like on bug's page. It isn't sure that the odt is valid, but it shouldn't 
crash anyway.

Szabolcs

From 13cd12140c9b5f345c720c4aa9fb7e17885f02e9 Mon Sep 17 00:00:00 2001
From: Szabolcs Dezsi <dezsisz...@hotmail.com>
Date: Fri, 20 Apr 2012 00:45:35 +0200
Subject: [PATCH] Workaround for Bug 47436, Crash while opening odt file

---
 editeng/source/items/frmitems.cxx |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/editeng/source/items/frmitems.cxx b/editeng/source/items/frmitems.cxx
index 3cca643..0098af0 100644
--- a/editeng/source/items/frmitems.cxx
+++ b/editeng/source/items/frmitems.cxx
@@ -1951,7 +1951,8 @@ bool SvxBoxItem::PutValue( const uno::Any& rVal, sal_uInt8 nMemberId )
                 for (int n(0); n != SAL_N_ELEMENTS(aBorders); ++n)
                 {
                     editeng::SvxBorderLine* pLine = const_cast< editeng::SvxBorderLine* >( GetLine( aBorders[n] ) );
-                    pLine->SetStyle( eBorderStyle );
+                    if( pLine )
+                        pLine->SetStyle( eBorderStyle );
                 }
                 return sal_True;
             }
-- 
1.7.7

_______________________________________________
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice

[PATCH] fdo#47436: FILEOPEN: Writer crashes when it opens an odt file produced by JasperReport

Reply via email to