After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 514637 - Invalid read in excel_parse_formula1()
Invalid read in excel_parse_formula1()
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other All
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2008-02-05 22:56 UTC by sum1
Modified: 2008-02-07 23:29 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
fuzzed finfuns.xls (40.00 KB, application/vnd.ms-excel)
2008-02-05 22:57 UTC, sum1 		Details

Description sum1 2008-02-05 22:56:06 UTC 
Version: r16354
OS: Ubuntu Gutsy

The upcoming sample is a fuzzed version of finfuns.xls.

Steps to reproduce:
- Load the upcoming attachment in Gnumeric to trigger a crash

Valgrind output:

==13506== Invalid read of size 1
==13506==    at 0x7133B4A: excel_parse_formula1 (ms-formula-read.c:1278)
==13506==    by 0x713512D: excel_parse_formula (ms-formula-read.c:1693)
==13506==    by 0x7112283: excel_read_FORMULA (ms-excel-read.c:2596)
==13506==    by 0x711E0B4: excel_read_sheet (ms-excel-read.c:6054)
==13506==    by 0x711F136: excel_read_BOF (ms-excel-read.c:6464)
==13506==    by 0x711F814: excel_read_workbook (ms-excel-read.c:6532)
==13506==    by 0x7103888: excel_file_open (boot.c:191)
==13506==    by 0x45CC445: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==13506==    by 0x45CDEC7: go_plugin_file_opener_open (go-plugin-service.c:476)
==13506==    by 0x45D0817: go_file_opener_open (file.c:294)
==13506==    by 0x414FFC2: wb_view_new_from_input (workbook-view.c:1212)
==13506==    by 0x415016D: wb_view_new_from_uri (workbook-view.c:1264)
==13506==  Address 0x4047CC55 is not stack'd, malloc'd or (recently) free'd
==13506== 
==13506== Process terminating with default action of signal 11 (SIGSEGV)
==13506==  Access not within mapped region at address 0x4047CC55
==13506==    at 0x7133B4A: excel_parse_formula1 (ms-formula-read.c:1278)
==13506==    by 0x713512D: excel_parse_formula (ms-formula-read.c:1693)
==13506==    by 0x7112283: excel_read_FORMULA (ms-excel-read.c:2596)
==13506==    by 0x711E0B4: excel_read_sheet (ms-excel-read.c:6054)
==13506==    by 0x711F136: excel_read_BOF (ms-excel-read.c:6464)
==13506==    by 0x711F814: excel_read_workbook (ms-excel-read.c:6532)
==13506==    by 0x7103888: excel_file_open (boot.c:191)
==13506==    by 0x45CC445: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==13506==    by 0x45CDEC7: go_plugin_file_opener_open (go-plugin-service.c:476)
==13506==    by 0x45D0817: go_file_opener_open (file.c:294)
==13506==    by 0x414FFC2: wb_view_new_from_input (workbook-view.c:1212)
==13506==    by 0x415016D: wb_view_new_from_uri (workbook-view.c:1264)


Backtrace:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 188219

Thread NaN (LWP 13402)

  • #0 excel_parse_formula1
    at ms-formula-read.c line 1278
  • #1 excel_parse_formula
    at ms-formula-read.c line 1693
  • #2 excel_read_FORMULA
    at ms-excel-read.c line 2596
  • #3 excel_read_sheet
    at ms-excel-read.c line 6054
  • #4 excel_read_BOF
    at ms-excel-read.c line 6464
  • #5 excel_read_workbook
    at ms-excel-read.c line 6532
  • #6 excel_file_open
    at boot.c line 191
  • #7 go_plugin_loader_module_func_file_open
    at go-plugin-loader-module.c line 239
  • #8 go_plugin_file_opener_open
    at go-plugin-service.c line 476
  • #9 go_file_opener_open
    at file.c line 294
  • #10 wb_view_new_from_input
    at workbook-view.c line 1212
  • #11 wb_view_new_from_uri
  • #12 main
    at main-application.c line 417 






Comment 1


sum1





          2008-02-05 22:57:11 UTC
        



Created attachment 104522 [details]
fuzzed finfuns.xls






Comment 2


Morten Welinder





          2008-02-07 18:38:42 UTC
        



Patch in hand.







Comment 3


Morten Welinder





          2008-02-07 23:29:06 UTC
        



This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.