Bug 517141 – Valgrind errors in mps_parse_rows()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 517141 - Valgrind errors in mps_parse_rows()


Summary:	Valgrind errors in mps_parse_rows()


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2008-02-18 06:01 UTC by sum1
Modified:	2008-02-18 15:25 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
fuzzed blend.mps (16.78 KB, application/x-mps) 2008-02-18 06:03 UTC, sum1	Details

Description sum1 2008-02-18 06:01:27 UTC

Version: r16376
OS: Ubuntu Gutsy

The upcoming sample is a fuzzed version of blend.mps.

Steps to reproduce:
- Load the upcoming attachment in Gnumeric to trigger a crash

Backtrace:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 189551

Thread NaN (LWP 10066)

#2 mps_parse_rows
at parser.c line 305
#0 g_str_hash
from /usr/lib/libglib-2.0.so.0
#1 g_hash_table_insert
from /usr/lib/libglib-2.0.so.0
#2 mps_parse_rows
at parser.c line 305
#3 mps_parse_file
at parser.c line 550
#4 mps_file_open
at mps.c line 633
#5 go_plugin_loader_module_func_file_open
at go-plugin-loader-module.c line 239
#6 go_plugin_file_opener_open
at go-plugin-service.c line 476
#7 go_file_opener_open
at file.c line 294
#8 wb_view_new_from_input
at workbook-view.c line 1212
#9 wb_view_new_from_uri
at workbook-view.c line 1264
#10 main
at main-application.c line 417



Valgrind output:

==9969== Use of uninitialised value of size 4
==9969==    at 0x6EEFB3D: mps_parse_rows (parser.c:305)
==9969==    by 0x6EF0530: mps_parse_file (parser.c:550)
==9969==    by 0x6EEF0E5: mps_file_open (mps.c:633)
==9969==    by 0x45CC445: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==9969==    by 0x45CDEC7: go_plugin_file_opener_open (go-plugin-service.c:476)
==9969==    by 0x45D0817: go_file_opener_open (file.c:294)
==9969==    by 0x414FFC2: wb_view_new_from_input (workbook-view.c:1212)
==9969==    by 0x415016D: wb_view_new_from_uri (workbook-view.c:1264)
==9969==    by 0x804C23A: main (main-application.c:417)
==9969== 
==9969== Invalid read of size 4
==9969==    at 0x6EEFB3D: mps_parse_rows (parser.c:305)
==9969==    by 0x6EF0530: mps_parse_file (parser.c:550)
==9969==    by 0x6EEF0E5: mps_file_open (mps.c:633)
==9969==    by 0x45CC445: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==9969==    by 0x45CDEC7: go_plugin_file_opener_open (go-plugin-service.c:476)
==9969==    by 0x45D0817: go_file_opener_open (file.c:294)
==9969==    by 0x414FFC2: wb_view_new_from_input (workbook-view.c:1212)
==9969==    by 0x415016D: wb_view_new_from_uri (workbook-view.c:1264)
==9969==    by 0x804C23A: main (main-application.c:417)
==9969==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==9969== 
==9969== Process terminating with default action of signal 11 (SIGSEGV)
==9969==  Access not within mapped region at address 0x4
==9969==    at 0x6EEFB3D: mps_parse_rows (parser.c:305)
==9969==    by 0x6EF0530: mps_parse_file (parser.c:550)
==9969==    by 0x6EEF0E5: mps_file_open (mps.c:633)
==9969==    by 0x45CC445: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==9969==    by 0x45CDEC7: go_plugin_file_opener_open (go-plugin-service.c:476)
==9969==    by 0x45D0817: go_file_opener_open (file.c:294)
==9969==    by 0x414FFC2: wb_view_new_from_input (workbook-view.c:1212)
==9969==    by 0x415016D: wb_view_new_from_uri (workbook-view.c:1264)
==9969==    by 0x804C23A: main (main-application.c:417)
Segmentation fault (core dumped)

Comment 1 sum1 2008-02-18 06:03:47 UTC

Created attachment 105478 [details]
fuzzed blend.mps

Comment 2 Morten Welinder 2008-02-18 15:25:11 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.