These two proof of concept files seem to trigger similar crashes in ICU via Libreoffice. One is a integer overflow and the other a heap overflow.
Tested versions:
Libreoffice 4.3.3.2 with ICU 53 on Windows (let's call it target 1)
Libreoffice 4.4.0-beta2 with ICU 52 on Debian testing (target 2)

>> Notes on fuzzed-18-95-602621340.xls:
fuzzed-18-95-602621340.xls doesn't seem to crash target 1, but it crashes target 2.
Calc crashes with a SIGSEGV on free caused by an invalid pointer. The backtrace can be seen in [1] but this only shows when the actual blowup happens.
The integer overflow can be traced to a call in resolveImplicitLevels in the ICU library (itself called from ubidi_setPara which is called in core/editeng/source/editeng/impedit2.cxx:1895). With the proof of concept file, the overflow happens on the 18th call to ubidi_setPara.

Integer overflow in resolveImplicitLevels (ubidi.c:2248):

        pBiDi->isolates[pBiDi->isolateCount].state=levState.state;

pBiDi->isolates[].state is a int16, while levState.state is a int32. The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[].
        
The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
    int32_t startON;
    int32_t start1;
    int16_t stateImp;
    int16_t state;
} Isolate;

LevState is defined in ubidi.c:1748
typedef struct {
    const ImpTab * pImpTab;             /* level table pointer          */
    const ImpAct * pImpAct;             /* action map array             */
    int32_t startON;                    /* start of ON sequence         */
    int32_t startL2EN;                  /* start of level 2 sequence    */
    int32_t lastStrongRTL;              /* index of last found R or AL  */
    int32_t state;                      /* current state                */
    int32_t runStart;                   /* start position of the run    */
    UBiDiLevel runLevel;                /* run level before implicit solving */
} LevState;

My view on this is that it is hard to exploit (as all integer overflows are), but might be possible to do so - I'm won't put my hands in the fire and say no. No guarantees on this one.


>> Notes on fuzzed-168-7-542405652.xls:
fuzzed-168-7-542405652.xls seems to crash both targets, and while it is related to fuzzed-18-95-602621340.xls it seems to be a different bug. 
The code to blame is the following (from ubidi.c:2148 in ICU 52):
    dirProp=dirProps[limit-1];
    if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
        pBiDi->isolateCount++;
        pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;
        pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
        pBiDi->isolates[pBiDi->isolateCount].start1=start1;
    }
    else
        processPropertySeq(pBiDi, &levState, eor, limit, limit);

From my investigation below, I'm guessing that isolateCount is increased by one and the following writes are out of bounds, causing valgrind to throw the errors below and finally killing it. Again I'm not sure but this might be exploitable - I'm not putting my hands in the fire. No guarantees either.

There are 3 out of bound writes: one of 2 bytes, then 4 bytes, then 2 bytes again.
Running in target 2 and stepping through the code in valgrind, the writes occur at the following places:

>> 1st invalid write:
Valgrind:
==32460== Invalid write of size 2
==32460==    at 0xCF7D544: resolveImplicitLevels (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0xCF7DDE5: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32460==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32460==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32460==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32460==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32460==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32460==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32460==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32460==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
==32460==    by 0x28037A62: ImportExcel8::Read() (read.cxx:1183)
==32460==  Address 0x20abba4c is 4 bytes after a block of size 152 alloc'd
==32460==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==32460==    by 0xCF7AC3F: ubidi_getMemory_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0xCF7E05D: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32460==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32460==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32460==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32460==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32460==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32460==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32460==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32460==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)

GDB:
resolveImplicitLevels (pBiDi=pBiDi@entry=0x1f6da5a0, start=start@entry=1562, limit=limit@entry=1573, sor=<optimized out>, eor=0 '\000') at ubidi.c:2151
2151	        pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;


>> 2nd invalid write:
Valgrind:
==32460== Invalid write of size 4
==32460==    at 0xCF7D549: resolveImplicitLevels (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0xCF7DDE5: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32460==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32460==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32460==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
(same stack trace as 1)

GDB:
resolveImplicitLevels (pBiDi=pBiDi@entry=0x1f6da5a0, start=start@entry=1562, limit=limit@entry=1573, sor=<optimized out>, eor=0 '\000') at ubidi.c:2153
2153	        pBiDi->isolates[pBiDi->isolateCount].start1=start1;


>> 3rd invalid write:
Valgrind:
==32460== Invalid write of size 2
==32460==    at 0xCF7D54B: resolveImplicitLevels (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0xCF7DDE5: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32460==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32460==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32460==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32460==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
(same stack trace as 1)

GDB:
resolveImplicitLevels (pBiDi=pBiDi@entry=0x1f6da5a0, start=start@entry=1562, limit=limit@entry=1573, sor=<optimized out>, eor=0 '\000') at ubidi.c:2152
2152	        pBiDi->isolates[pBiDi->isolateCount].state=levState.state;

Shortly after the 3rd invalid write valgrind explodes and dumps a vgcore file.


When running in target 1, it crashes with the following in Windbg:
eax=000ffff0 ebx=11adee28 ecx=00000004 edx=0000ffff esi=06433c08 edi=11a83608
eip=49abb639 esp=00cde724 ebp=00cde780 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
icuuc53!ubidi_getClass_53+0x3fb9:
49abb639 8a940898b9b449  mov     dl,byte ptr icuuc53!icu_53::UCharCharacterIterator::`vftable'+0x2c5cc (49b4b998)[eax+ecx] ds:002b:49c4b98c=??

(which is basically useless but proves this wasn't fixed in ICU 53)


[1]
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x7000002ca) at malloc.c:2929
2929	malloc.c: No such file or directory.

#0  __GI___libc_free (mem=0x7000002ca) at malloc.c:2929
#1  0x00007fffefaa32e5 in ubidi_close_52 (pBiDi=0x1712cd0) at ubidi.c:261
#2  0x00007fffcf84f8b9 in ImpEditEngine::InitWritingDirections (this=this@entry=0x170daa0, nPara=nPara@entry=1)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/impedit2.cxx:1915
#3  0x00007fffcf852ad6 in ImpEditEngine::InitScriptTypes (this=this@entry=0x170daa0, nPara=nPara@entry=1)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/impedit2.cxx:1685
#4  0x00007fffcf85538d in ImpEditEngine::GetItemScriptType (this=this@entry=0x170daa0, rSel=...)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/impedit2.cxx:1788
#5  0x00007fffcf8713a7 in ImpEditEngine::CreateTextObject (this=this@entry=0x170daa0, aSel=..., pPool=pPool@entry=0x16f7bf0, 
    bAllowBigObjects=bAllowBigObjects@entry=false, nBigObjectStart=nBigObjectStart@entry=20)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/impedit4.cxx:1044
#6  0x00007fffcf8715ca in ImpEditEngine::CreateTextObject (this=this@entry=0x170daa0, aSel=...)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/impedit4.cxx:1019
#7  0x00007fffcf871675 in ImpEditEngine::CreateTextObject (this=0x170daa0)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/impedit4.cxx:1014
#8  0x00007fffcf8269e9 in EditEngine::CreateTextObject (this=this@entry=0x170da80)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/editeng/source/editeng/editeng.cxx:1488
#9  0x00007fffcbef4e15 in (anonymous namespace)::lclCreateTextObject (rRoot=..., rString=..., nXFIndex=nXFIndex@entry=63, eType=EXC_FONTITEM_EDITENG)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sc/source/filter/excel/xihelper.cxx:209
#10 0x00007fffcbef4ecd in XclImpStringHelper::SetToDocument (rDoc=..., rPos=..., rRoot=..., rString=..., nXFIndex=nXFIndex@entry=63)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sc/source/filter/excel/xihelper.cxx:230
#11 0x00007fffcbde0032 in ImportExcel8::Labelsst (this=this@entry=0x1665380)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sc/source/filter/excel/excimp8.cxx:307
#12 0x00007fffcbe03a63 in ImportExcel8::Read (this=0x1665380) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sc/source/filter/excel/read.cxx:1183
#13 0x00007fffcbdd1c63 in ScFormatFilterPluginImpl::ScImportExcel (this=<optimized out>, rMedium=..., pDocument=0x15685c8, eFormat=<optimized out>)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sc/source/filter/excel/excel.cxx:138
#14 0x00007fffd8d7c561 in ScDocShell::ConvertFrom (this=0x15684f0, rMedium=...)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sc/source/ui/docshell/docsh.cxx:1138
#15 0x00007ffff442e235 in SfxObjectShell::DoLoad (this=0x15684f0, pMed=pMed@entry=0x1536a80)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sfx2/source/doc/objstor.cxx:781
#16 0x00007ffff446f1a7 in SfxBaseModel::load (this=0x156d160, seqArguments=...)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sfx2/source/doc/sfxbasemodel.cxx:1858
#17 0x00007ffff4503051 in (anonymous namespace)::SfxFrameLoader_Impl::load (this=0x156d218, rArgs=uno::Sequence of length 13 = {...}, 
    _rTargetFrame=<error reading variable: Cannot access memory at address 0x0>)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/sfx2/source/view/frmload.cxx:703
#18 0x00007fffdb1c9f85 in framework::LoadEnv::impl_loadContent (this=0x13fa080)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/framework/source/loadenv/loadenv.cxx:1122
#19 0x00007fffdb1ca79e in framework::LoadEnv::startLoading (this=this@entry=0x13fa080)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/framework/source/loadenv/loadenv.cxx:383
#20 0x00007fffdb14ad88 in framework::LoadDispatcher::impl_dispatch (this=0x13fa020, rURL=..., lArguments=uno::Sequence of length 4 = {...}, 
    xListener=empty uno::Reference) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/framework/source/dispatch/loaddispatcher.cxx:115
#21 0x00007fffdb14bbb8 in framework::LoadDispatcher::dispatchWithReturnValue (this=<optimized out>, rURL=..., lArguments=...)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/framework/source/dispatch/loaddispatcher.cxx:62
#22 0x00007ffff589f707 in comphelper::SynchronousDispatch::dispatch (xStartPoint=uno::Reference to (com::sun::star::uno::XInterface *) 0x653600, 
    sURL="⋠\xdb23翿\000⌠\xdb23翿\000Ḑ\xdb23翿\000᭰\xdb23翿\000ᅰ\xdb23翿\000\x20c0\xdb23翿\000\xffd0\xffff\xffff\xffff劀\xdb59翿\000⏠\xdb23翿\000⌀\xdb23翿\000⍀\xdb23翿\000\xc80\xdb23翿\000ಠ\xdb23翿\000≠\xdb23翿\000\000\000\000\000႐翿\000쌠\xdb31翿\000䔀\xdb58翿", '\000' <repeats 13 times>, "ᆐ翿\000쎀\xdb31翿\000\001\000\004\000樐翿\000\002\000\000\000䖀\xdb58翿\000 \000\000\000吐\xdb59翿\000⠂\000\000\000奀\xdb58翿\000。", '\000' <repeats 27 times>, "吐\xdb59翿\000⚰翿\000⚰翿\000⚰翿\000⚰翿\000⚰翿\000⚰翿\000⚰翿", '\000' <repeats 17 times>..., 
Python Exception <type 'exceptions.TypeError'> 'NoneType' object is not iterable: 
    sTarget="벀\xdb14翿\000뱀\xdb14翿\000밀\xdb14翿\000\000\000\000\000႐翿\000嫀\xdb31翿\000䕠\xdb58翿", '\000' <repeats 29 times>, "ᆐ翿\000嬀\xdb31翿\000\001\000\004\000樐翿\000\002\000\000\000䖀\xdb58翿\000 \000\000\000窠\xdb58翿\000⠂\000\000\000记\xdb58翿\000。\000\000\000\000\000\000\000႐翿\000孠\xdb31翿\000谀\xdb58翿\000\000\000\000\000\000\000\000\000记\xdb58翿\000⚰翿\000⚰翿\000⚰翿\000⚰翿\000⚰翿\000\000\000\000\000\000\000\000\000谀\xdb58翿\000튰\xdb14翿\000퉰\xdb14翿\000툰\xdb14翿\000Ṱ翿\000\000\000\000\000\000\000\000\000푀\xdb14翿\000폐\xdb14翿\000￠\xffff\xffff\xffff谀\xdb58翿\000"..., nFlags=-141515144, nFlags@entry=0, lArguments=uninitialized uno::Sequence)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/comphelper/source/misc/synchronousdispatch.cxx:69
---Type <return> to continue, or q <return> to quit---
#23 0x00007ffff7944ea4 in desktop::DispatchWatcher::executeDispatchRequests (this=0x12fa550, 
    aDispatchRequestsList=std::vector of length 1, capacity 1 = {...}, bNoTerminate=<optimized out>)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/dispatchwatcher.cxx:448
#24 0x00007ffff794ffe0 in desktop::OfficeIPCThread::ExecuteCmdLineRequests (aRequest=...)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/officeipcthread.cxx:1062
#25 0x00007ffff792da82 in desktop::Desktop::OpenClients () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/app.cxx:2400
#26 0x00007ffff792e810 in desktop::Desktop::OpenClients_Impl (this=0x7fffffffe190)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/app.cxx:1931
#27 0x00007ffff2307d42 in Call (pCaller=<optimized out>, this=<optimized out>)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/include/tools/link.hxx:139
#28 ImplHandleUserEvent (pSVEvent=<optimized out>) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/window/winproc.cxx:1920
#29 ImplWindowFrameProc (pWindow=0x12ec4c8, nEvent=0, pEvent=0x12ec4b0)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/window/winproc.cxx:2491
#30 0x00007ffff2580a11 in CallCallback (pEvent=0x12ec4b0, nEvent=22, this=0x12e4aa0)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/inc/salframe.hxx:249
#31 SalGenericDisplay::DispatchInternalEvent (this=this@entry=0x650a40) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/generic/app/gendisp.cxx:90
#32 0x00007fffe2babc34 in SalX11Display::Yield (this=0x650a40) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/unx/generic/app/saldisp.cxx:1881
#33 0x00007fffe2baba35 in DisplayYield (fd=<optimized out>, pDisplay=0x650a40)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/unx/generic/app/saldisp.cxx:388
#34 0x00007fffe2bab12b in HandleNextEvent (this=0x7fffe2e15f90 <yieldTable+336>)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/unx/generic/app/saldata.cxx:583
#35 SalXLib::Yield (this=0x637bb0, bWait=<optimized out>, bHandleAllCurrentEvents=false)
    at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/unx/generic/app/saldata.cxx:675
#36 0x00007ffff250a78e in ImplYield (i_bAllEvents=false, i_bWait=true) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/app/svapp.cxx:360
#37 Application::Yield () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/app/svapp.cxx:392
#38 0x00007ffff250a825 in Application::Execute () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/app/svapp.cxx:341
#39 0x00007ffff792fb32 in desktop::Desktop::Main (this=0x7fffffffe190) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/app.cxx:1638
#40 0x00007ffff250f4b2 in ImplSVMain () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/app/svmain.cxx:163
#41 0x00007ffff250f4e2 in SVMain () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/vcl/source/app/svmain.cxx:196
#42 0x00007ffff7953c92 in soffice_main () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/sofficemain.cxx:101
#43 0x000000000040071b in sal_main () at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/main.c:48
#44 main (argc=<optimized out>, argv=<optimized out>) at /build/libreoffice-4O4Jab/libreoffice-4.4.0~beta2/desktop/source/app/main.c:47


[2]
==32403== Invalid write of size 2
==32403==    at 0xCF7D544: resolveImplicitLevels (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0xCF7DDE5: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32403==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32403==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32403==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32403==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32403==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32403==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32403==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32403==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
==32403==    by 0x28037A62: ImportExcel8::Read() (read.cxx:1183)
==32403==  Address 0x1f6d9d1c is 4 bytes after a block of size 152 alloc'd
==32403==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==32403==    by 0xCF7AC3F: ubidi_getMemory_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0xCF7E05D: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32403==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32403==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32403==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32403==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32403==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32403==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32403==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32403==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
==32403== 
==32403== (action on error) vgdb me ... 
==32403== Continuing ...
==32403== Invalid write of size 4
==32403==    at 0xCF7D549: resolveImplicitLevels (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0xCF7DDE5: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32403==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32403==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32403==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32403==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32403==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32403==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32403==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32403==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
==32403==    by 0x28037A62: ImportExcel8::Read() (read.cxx:1183)
==32403==  Address 0x1f6d9d18 is 0 bytes after a block of size 152 alloc'd
==32403==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==32403==    by 0xCF7AC3F: ubidi_getMemory_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0xCF7E05D: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32403==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32403==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32403==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32403==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32403==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32403==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32403==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32403==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
==32403== 
==32403== (action on error) vgdb me ... 
==32403== Continuing ...
==32403== Invalid write of size 2
==32403==    at 0xCF7D54B: resolveImplicitLevels (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0xCF7DDE5: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32403==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32403==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32403==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32403==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32403==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32403==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32403==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32403==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
==32403==    by 0x28037A62: ImportExcel8::Read() (read.cxx:1183)
==32403==  Address 0x1f6d9d1e is 6 bytes after a block of size 152 alloc'd
==32403==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==32403==    by 0xCF7AC3F: ubidi_getMemory_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0xCF7E05D: ubidi_setPara_52 (in /usr/lib/x86_64-linux-gnu/libicuuc.so.52.1)
==32403==    by 0x24826833: ImpEditEngine::InitWritingDirections(int) (impedit2.cxx:1895)
==32403==    by 0x24829AD5: ImpEditEngine::InitScriptTypes(int) (impedit2.cxx:1685)
==32403==    by 0x2482C38C: ImpEditEngine::GetItemScriptType(EditSelection const&) const (impedit2.cxx:1788)
==32403==    by 0x248483A6: ImpEditEngine::CreateTextObject(EditSelection, SfxItemPool*, bool, int) (impedit4.cxx:1044)
==32403==    by 0x248485C9: ImpEditEngine::CreateTextObject(EditSelection) (impedit4.cxx:1019)
==32403==    by 0x24848674: ImpEditEngine::CreateTextObject() (impedit4.cxx:1014)
==32403==    by 0x28128E14: (anonymous namespace)::lclCreateTextObject(XclImpRoot const&, XclImpString const&, XclFontItemType, unsigned short) [clone .constprop.74] (xihelper.cxx:209)
==32403==    by 0x28128ECC: XclImpStringHelper::SetToDocument(ScDocumentImport&, ScAddress const&, XclImpRoot const&, XclImpString const&, unsigned short) (xihelper.cxx:230)
==32403==    by 0x28014031: ImportExcel8::Labelsst() (excimp8.cxx:307)
