GNOME Bugzilla – Bug 519761
Invalid reads during import
Last modified: 2008-03-01 17:40:41 UTC
Version: r16427 OS: Ubuntu Gutsy The upcoming sample is a fuzzed version of test-financial.gnumeric. Steps to reproduce: - Load the upcoming attachment in Gnumeric to trigger a crash Valgrind output: ==16649== Invalid read of size 1 ==16649== at 0x40A4ED6: gnm_expr_top_ref (expr.c:2638) ==16649== by 0x407AF7F: cell_set_expr_internal (cell.c:207) ==16649== by 0x407B0D7: gnm_cell_set_expr (cell.c:259) ==16649== by 0x4174D7B: xml_sax_cell_content (xml-sax-read.c:1846) ==16649== by 0x5011BD0: gsf_xml_in_end_element (gsf-libxml.c:677) ==16649== by 0x50D6BD3: xmlParseElement (parser.c:8601) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== Address 0x8FB9288 is 0 bytes inside a block of size 12 free'd ==16649== at 0x402237F: free (vg_replace_malloc.c:233) ==16649== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==16649== by 0x40A4F91: gnm_expr_top_unref (expr.c:2652) ==16649== by 0x407AB96: gnm_cell_cleanout (cell.c:56) ==16649== by 0x407AE6C: gnm_cell_set_value (cell.c:157) ==16649== by 0x4174C01: xml_sax_cell_content (xml-sax-read.c:1810) ==16649== by 0x5011BD0: gsf_xml_in_end_element (gsf-libxml.c:677) ==16649== by 0x50C86B7: xmlParseEndTag1 (parser.c:7332) ==16649== by 0x50D6B88: xmlParseElement (parser.c:8675) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ** (lt-gnumeric:16649): CRITICAL **: gnm_expr_top_ref: assertion `IS_GNM_EXPR_TOP (texpr)' failed ==16649== ==16649== Invalid read of size 4 ==16649== at 0x409B167: dependent_link (dependent.c:1324) ==16649== by 0x407B0E2: gnm_cell_set_expr (cell.c:260) ==16649== by 0x4174D7B: xml_sax_cell_content (xml-sax-read.c:1846) ==16649== by 0x5011BD0: gsf_xml_in_end_element (gsf-libxml.c:677) ==16649== by 0x50D6BD3: xmlParseElement (parser.c:8601) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== Address 0x8FB9290 is 8 bytes inside a block of size 12 free'd ==16649== at 0x402237F: free (vg_replace_malloc.c:233) ==16649== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==16649== by 0x40A4F91: gnm_expr_top_unref (expr.c:2652) ==16649== by 0x407AB96: gnm_cell_cleanout (cell.c:56) ==16649== by 0x407AE6C: gnm_cell_set_value (cell.c:157) ==16649== by 0x4174C01: xml_sax_cell_content (xml-sax-read.c:1810) ==16649== by 0x5011BD0: gsf_xml_in_end_element (gsf-libxml.c:677) ==16649== by 0x50C86B7: xmlParseEndTag1 (parser.c:7332) ==16649== by 0x50D6B88: xmlParseElement (parser.c:8675) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ==16649== by 0x50D6ACD: xmlParseElement (parser.c:8649) ==16649== by 0x50D294D: xmlParseContent (parser.c:8479) ** ERROR **: file dependent.c: line 1103 (link_expr_dep): should not be reached aborting... Aborted (core dumped)
Created attachment 106335 [details] fuzzed test-financial.gnumeric
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.