Bug#394144: kword: crash when opening kwd with formulas
Hi,
this bug still exists in kword 1.6.1. Here are backtraces I got form
i386 and amd64 systems. I will add the "security" tag to this bug
because this crash could perhaps be used by a malicious kword file to
execute arbitrary code.
Package: kword
Version: 1:1.6.1-1
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (100, 'unstable'), (99, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Versions of packages kword depends on:
ii kdelibs4c2a 4:3.5.5a.dfsg.1-5 core libraries and binaries for al
ii koffice-libs 1:1.6.1-1 common libraries and binaries for
ii kspread 1:1.6.1-1 a spreadsheet for the KDE Office S
ii kword-data 1:1.6.1-1 data files for KWord word processo
ii libc6 2.5-0exp3 GNU C Library: Shared libraries
ii libgcc1 1:4.2-20061003-1 GCC support library
ii libpaper1 1.1.21 Library for handling paper charact
ii libstdc++6 4.2-20061003-1 The GNU Standard C++ Library v3
ii libwpd8c2a 0.8.7-4 Library for handling WordPerfect d
ii libwv2-1c2 0.2.3-1 a library for accessing Microsoft
Versions of packages kword recommends:
ii libkscan1 4:3.5.5-2 scanner library for KDE
--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 47463833160512 (LWP 28294)]
[KCrash handler]
#5 KoRuler::setOffset (this=0x0, _diffx=104, _diffy=0)
at /build/buildd/koffice-1.6.1/./lib/kofficeui/KoRuler.cpp:1112
#6 0x00002b2b096dfb83 in KWCanvas::updateRulerOffsets (this=0xa817c0,
cx=104, cy=1518) at /build/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:1693
#7 0x00002b2b096f9b57 in KWCanvas::slotContentsMoving (this=0xa817c0,
cx=104, cy=1519) at /build/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:1628
#8 0x00002b2b09704b41 in KWCanvas::qt_invoke (this=0xa817c0, _id=64,
_o=0x7fffa6f53120) at ./KWCanvas.moc:175
#9 0x00002b2b071beb7a in QObject::activate_signal (this=0xa817c0,
clist=0xa8e390, o=0x7fffa6f53120) at kernel/qobject.cpp:2356
#10 0x00002b2b075482e4 in QScrollView::contentsMoving (this=0xa817c0, t0=104,
t1=1519) at .moc/debug-shared-mt/moc_qscrollview.cpp:216
#11 0x00002b2b072ee39f in QScrollView::moveContents (this=0xa817c0, x=-104,
y=-1519) at widgets/qscrollview.cpp:2073
#12 0x00002b2b072ee584 in QScrollView::setContentsPos (this=0xa817c0, x=104,
y=1519) at widgets/qscrollview.cpp:1998
#13 0x00002b2b072e9a00 in QScrollView::ensureVisible (this=0xa817c0, x=152,
y=1532, xmargin=48, ymargin=13) at widgets/qscrollview.cpp:1979
#14 0x00002b2b072e9af8 in QScrollView::ensureVisible (this=0xa817c0, x=152,
y=1532) at widgets/qscrollview.cpp:1925
#15 0x00002b2b096f7159 in KWFormulaFrameSetEdit::cursorChanged (
this=0xa8e680, visible=<value optimized out>)
at /build/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:506
#16 0x00002b2b097e9410 in KWFormulaFrameSetEdit::qt_invoke (this=0xa8e680,
_id=2, _o=0x7fffa6f53320) at ./KWFormulaFrameSet.moc:187
#17 0x00002b2b071beb7a in QObject::activate_signal (this=0xa8e730,
clist=0xa74780, o=0x7fffa6f53320) at kernel/qobject.cpp:2356
#18 0x00002b2b09f22cee in KFormula::View::cursorChanged (
this=<value optimized out>, t0=<value optimized out>, t1=false)
at ./kformulaview.moc:118
#19 0x00002b2b09750fca in KWFormulaFrameSetEdit (this=0xa8e680, fs=0xcbac50,
canvas=<value optimized out>)
at /build/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:373
#20 0x00002b2b09751024 in KWFormulaFrameSet::createFrameSetEdit (
this=0xcbac50, canvas=0xa817c0)
at /build/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:153
#21 0x00002b2b097c5825 in KWCanvas::checkCurrentEdit (this=0xa817c0,
fs=0xcbac50, onlyText=false)
at /build/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:1351
#22 0x00002b2b097caa8d in KWCanvas (this=0xa817c0, viewMode=@0x65d688,
parent=<value optimized out>, d=0x65d360, lGui=0xa2d370)
at /build/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:151
#23 0x00002b2b097cac74 in KWGUI (this=0xa2d370, viewMode=@0x65d688,
parent=<value optimized out>, daView=<value optimized out>)
at /build/buildd/koffice-1.6.1/./kword/KWView.cpp:7611
#24 0x00002b2b097d236e in KWView (this=0xb202c0, viewMode=@0x65d688,
parent=<value optimized out>, name=<value optimized out>, doc=0x65d360)
at /build/buildd/koffice-1.6.1/./kword/KWView.cpp:278
#25 0x00002b2b097d2ec6 in KWDocument::createViewInstance (this=0x65d360,
parent=0x713ac0, name=0x2b2b0455400e "view")
at /build/buildd/koffice-1.6.1/./kword/KWDocument.cpp:3723
#26 0x00002b2b044d56fa in KoDocument::createView (this=0x0, parent=0x68,
name=0x0)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoDocument.cpp:316
#27 0x00002b2b044e72e1 in KoMainWindow::setRootDocument (this=0x6ed180,
doc=0x65d360)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:372
#28 0x00002b2b0450a79f in KoMainWindow::slotLoadCompleted (this=0x6ed180)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:630
#29 0x00002b2b0453687e in KoMainWindow::qt_invoke (this=0x6ed180, _id=101,
_o=0x7fffa6f53900) at ./KoMainWindow.moc:199
#30 0x00002b2b071beb7a in QObject::activate_signal (this=0x65d360,
clist=0x6ff580, o=0x7fffa6f53900) at kernel/qobject.cpp:2356
#31 0x00002b2b071bf70a in QObject::activate_signal (this=0x65d360, signal=5)
at kernel/qobject.cpp:2325
#32 0x00002b2b048e0daa in KParts::ReadOnlyPart::openURL (this=0x65d360,
url=<value optimized out>)
at /build/buildd/kdelibs-3.5.5a.dfsg.1/./kparts/part.cpp:347
#33 0x00002b2b0451c65e in KoDocument::openURL (this=0x65d360,
_url=@0x7fffa6f53fb0)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoDocument.cpp:1375
#34 0x00002b2b044f0ec9 in KoMainWindow::openDocumentInternal (this=0x6ed180,
url=@0x7fffa6f53fb0, newdoc=0x65d360)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:593
#35 0x00002b2b0451cbca in KoMainWindow::openDocument (this=0x6ed180,
newdoc=0x65d360, url=@0x7fffa6f53fb0)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:575
#36 0x00002b2b0454674a in KoApplication::start (this=0x7fffa6f54350)
at /build/buildd/koffice-1.6.1/./lib/kofficecore/KoApplication.cpp:211
#37 0x00002b2b03c7127d in kdemain (argc=<value optimized out>,
argv=0x7fffa6f545d8) at /build/buildd/koffice-1.6.1/./kword/main.cpp:38
#38 0x00002b2b04221314 in __libc_start_main () from /lib/libc.so.6
#39 0x000000000040051a in _start () at ../sysdeps/x86_64/elf/start.S:113
Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -161933616 (LWP 28697)]
[KCrash handler]
#6 KoRuler::setOffset (this=0x0, _diffx=104, _diffy=0)
at /tmp/buildd/koffice-1.6.1/./lib/kofficeui/KoRuler.cpp:1112
#7 0xf5bdcb98 in KWCanvas::updateRulerOffsets (this=0x8364120, cx=104,
cy=1519) at /tmp/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:1693
#8 0xf5bfa2d7 in KWCanvas::slotContentsMoving (this=0x8364120, cx=104,
cy=1519) at /tmp/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:1628
#9 0xf5c09fcc in KWCanvas::qt_invoke (this=0x8364120, _id=64, _o=0xff940394)
at ./KWCanvas.moc:175
#10 0xf6b55cb3 in QObject::activate_signal (this=0x8364120, clist=0x8351758,
o=0xff940394) at kernel/qobject.cpp:2356
#11 0xf6efd1b4 in QScrollView::contentsMoving (this=0x8364120, t0=104, t1=1519)
at .moc/debug-shared-mt/moc_qscrollview.cpp:216
#12 0xf6c8c9fe in QScrollView::moveContents (this=0x8364120, x=-104, y=-1519)
at widgets/qscrollview.cpp:2073
#13 0xf6c8cc09 in QScrollView::setContentsPos (this=0x8364120, x=104, y=1519)
at widgets/qscrollview.cpp:1998
#14 0xf6c87ab0 in QScrollView::ensureVisible (this=0x8364120, x=152, y=1532,
xmargin=48, ymargin=13) at widgets/qscrollview.cpp:1979
#15 0xf6c87bdf in QScrollView::ensureVisible (this=0x8364120, x=152, y=1532)
at widgets/qscrollview.cpp:1925
#16 0xf5bf42dd in KWFormulaFrameSetEdit::cursorChanged (this=0x8351920,
visible=true)
at /tmp/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:506
#17 0xf5cb388b in KWFormulaFrameSetEdit::qt_invoke (this=0x8351920, _id=2,
_o=0xff940580) at ./KWFormulaFrameSet.moc:187
#18 0xf6b55cb3 in QObject::activate_signal (this=0x8351840, clist=0x8351d70,
o=0xff940580) at kernel/qobject.cpp:2356
#19 0xf57f199f in KFormula::View::cursorChanged (this=0x8351840, t0=true,
t1=false) at ./kformulaview.moc:118
#20 0xf57f1ad6 in KFormula::View::emitCursorChanged (this=0x8351840)
at /tmp/buildd/koffice-1.6.1/./lib/kformula/kformulaview.cc:397
#21 0xf57f2181 in KFormula::View::focusInEvent (this=0x8351840)
at /tmp/buildd/koffice-1.6.1/./lib/kformula/kformulaview.cc:183
#22 0xf5bc9bfe in KWFormulaFrameSetEdit::focusInEvent (this=0x8351920)
at /tmp/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:436
#23 0xf5c0e51c in KWFormulaFrameSetEdit (this=0x8351920, fs=0x8485af0,
canvas=0x8364120)
at /tmp/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:373
#24 0xf5c0e56b in KWFormulaFrameSet::createFrameSetEdit (this=0x8485af0,
canvas=0x8364120)
at /tmp/buildd/koffice-1.6.1/./kword/KWFormulaFrameSet.cpp:153
#25 0xf5cb2820 in KWCanvas::checkCurrentEdit (this=0x8364120, fs=0x8485af0,
onlyText=false) at /tmp/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:1351
#26 0xf5cb70fa in KWCanvas (this=0x8364120, viewMode=@0x8124700,
parent=0x8363c50, d=0x81244f0, lGui=0x8372068)
at /tmp/buildd/koffice-1.6.1/./kword/KWCanvas.cpp:151
#27 0xf5cb7365 in KWGUI (this=0x8372068, viewMode=@0x8124700,
parent=0x83e41d8, daView=0x83e41d8)
at /tmp/buildd/koffice-1.6.1/./kword/KWView.cpp:7611
#28 0xf5ceab6f in KWView (this=0x83e41d8, viewMode=@0x8124700,
parent=0x81a32a8, name=0xf7cc1f2e "view", doc=0x81244f0)
at /tmp/buildd/koffice-1.6.1/./kword/KWView.cpp:278
#29 0xf5ceb817 in KWDocument::createViewInstance (this=0x81244f0,
parent=0x81a32a8, name=0xf7cc1f2e "view")
at /tmp/buildd/koffice-1.6.1/./kword/KWDocument.cpp:3723
#30 0xf7c33868 in KoDocument::createView (this=0x81244f0, parent=0x81a32a8,
name=0xf7cc1f2e "view")
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoDocument.cpp:316
#31 0xf7c4a147 in KoMainWindow::setRootDocument (this=0x818d150, doc=0x81244f0)
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:372
#32 0xf7c71ad2 in KoMainWindow::slotLoadCompleted (this=0x818d150)
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:630
#33 0xf7c96803 in KoMainWindow::qt_invoke (this=0x818d150, _id=101,
_o=0xff9409fc) at ./KoMainWindow.moc:199
#34 0xf6b55cb3 in QObject::activate_signal (this=0x81244f0, clist=0x81c7f78,
o=0xff9409fc) at kernel/qobject.cpp:2356
#35 0xf6b56744 in QObject::activate_signal (this=0x81244f0, signal=5)
at kernel/qobject.cpp:2325
#36 0xf7b8e4ba in KParts::ReadOnlyPart::completed (this=0x81244f0)
at ./part.moc:240
#37 0xf7b9880c in KParts::ReadOnlyPart::openURL (this=0x81244f0,
url=@0xff940b50)
at /home/ana/Debian/kdelibs/kdelibs-3.5.5a.dfsg.1/./kparts/part.cpp:347
#38 0xf7cacd3a in KoDocument::openURL (this=0x81244f0, _url=@0xff940e10)
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoDocument.cpp:1375
#39 0xf7c557e9 in KoMainWindow::openDocumentInternal (this=0x818d150,
url=@0xff940e10, newdoc=0x81244f0)
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:593
#40 0xf7cad35d in KoMainWindow::openDocument (this=0x818d150,
newdoc=0x81244f0, url=@0xff940e10)
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoMainWindow.cpp:575
#41 0xf7cb2ce8 in KoApplication::start (this=0xff940f7c)
at /tmp/buildd/koffice-1.6.1/./lib/kofficecore/KoApplication.cpp:211
#42 0xf7f23fc9 in kdemain (argc=2, argv=0xff941114)
at /tmp/buildd/koffice-1.6.1/./kword/main.cpp:38
#43 0x08048482 in main (argc=2336664, argv=0x80db010) at kword.la.cpp:2
#44 0xf7ce7878 in __libc_start_main () from /lib/i686/cmov/libc.so.6
#45 0x080483d1 in _start () at ../sysdeps/i386/elf/start.S:119
Reply to: