Bug 537625 – Invalid reads in build_xf_data()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 537625 - Invalid reads in build_xf_data()


Summary:	Invalid reads in build_xf_data()


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2008-06-10 16:22 UTC by sum1
Modified:	2008-06-12 20:17 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
tsv file (87 bytes, text/plain) 2008-06-10 16:28 UTC, sum1		Details
Tentative patch (1.75 KB, patch) 2008-06-11 18:49 UTC, Morten Welinder	none	Details \| Review

Description sum1 2008-06-10 16:22:47 UTC

Version: r16618
OS: Ubuntu Hardy

Steps to reproduce:
- ssconvert attachment.tsv /tmp/foo.xls


Valgrind output:

Using exporter Gnumeric_Excel:excel_dsf
==25455== Invalid read of size 4
==25455==    at 0x7DE69FF: build_xf_data (ms-excel-write.c:2728)
==25455==    by 0x7DE78EC: excel_write_XFs (ms-excel-write.c:3049)
==25455==    by 0x7DF0170: excel_write_workbook (ms-excel-write.c:5582)
==25455==    by 0x7DF09D3: excel_write_v7 (ms-excel-write.c:5714)
==25455==    by 0x7DC3E98: excel_save (boot.c:254)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455==    by 0x45D1BD3: go_plugin_file_saver_save (go-plugin-service.c:749)
==25455==    by 0x45D4BBE: go_file_saver_save (file.c:700)
==25455==    by 0x414F4A7: wbv_save_to_output (workbook-view.c:846)
==25455==    by 0x414F656: wbv_save_to_uri (workbook-view.c:883)
==25455==    by 0x414F874: wb_view_save_as (workbook-view.c:919)
==25455==  Address 0x7d937f8 is 0 bytes inside a block of size 8 free'd
==25455==    at 0x402265C: free (vg_replace_malloc.c:323)
==25455==    by 0x475D8B0: g_free (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x7DCACBE: two_way_table_put (ms-excel-util.c:131)
==25455==    by 0x7DE63EA: cb_cell_pre_pass (ms-excel-write.c:2509)
==25455==    by 0x4748632: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x4105EED: sheet_cell_foreach (sheet.c:3085)
==25455==    by 0x7DE64CA: gather_styles (ms-excel-write.c:2536)
==25455==    by 0x7DEDF9B: pre_pass (ms-excel-write.c:5058)
==25455==    by 0x7DF13B7: excel_write_state_new (ms-excel-write.c:5914)
==25455==    by 0x7DC3DBD: excel_save (boot.c:241)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455== 
==25455== Invalid read of size 4
==25455==    at 0x7DE6AC1: build_xf_data (ms-excel-write.c:2744)
==25455==    by 0x7DE78EC: excel_write_XFs (ms-excel-write.c:3049)
==25455==    by 0x7DF0170: excel_write_workbook (ms-excel-write.c:5582)
==25455==    by 0x7DF09D3: excel_write_v7 (ms-excel-write.c:5714)
==25455==    by 0x7DC3E98: excel_save (boot.c:254)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455==    by 0x45D1BD3: go_plugin_file_saver_save (go-plugin-service.c:749)
==25455==    by 0x45D4BBE: go_file_saver_save (file.c:700)
==25455==    by 0x414F4A7: wbv_save_to_output (workbook-view.c:846)
==25455==    by 0x414F656: wbv_save_to_uri (workbook-view.c:883)
==25455==    by 0x414F874: wb_view_save_as (workbook-view.c:919)
==25455==  Address 0x7d937fc is 4 bytes inside a block of size 8 free'd
==25455==    at 0x402265C: free (vg_replace_malloc.c:323)
==25455==    by 0x475D8B0: g_free (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x7DCACBE: two_way_table_put (ms-excel-util.c:131)
==25455==    by 0x7DE63EA: cb_cell_pre_pass (ms-excel-write.c:2509)
==25455==    by 0x4748632: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x4105EED: sheet_cell_foreach (sheet.c:3085)
==25455==    by 0x7DE64CA: gather_styles (ms-excel-write.c:2536)
==25455==    by 0x7DEDF9B: pre_pass (ms-excel-write.c:5058)
==25455==    by 0x7DF13B7: excel_write_state_new (ms-excel-write.c:5914)
==25455==    by 0x7DC3DBD: excel_save (boot.c:241)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455== 
==25455== Invalid read of size 4
==25455==    at 0x7DE69FF: build_xf_data (ms-excel-write.c:2728)
==25455==    by 0x7DE78EC: excel_write_XFs (ms-excel-write.c:3049)
==25455==    by 0x7DF0170: excel_write_workbook (ms-excel-write.c:5582)
==25455==    by 0x7DF0B1F: excel_write_v8 (ms-excel-write.c:5734)
==25455==    by 0x7DC3EB0: excel_save (boot.c:256)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455==    by 0x45D1BD3: go_plugin_file_saver_save (go-plugin-service.c:749)
==25455==    by 0x45D4BBE: go_file_saver_save (file.c:700)
==25455==    by 0x414F4A7: wbv_save_to_output (workbook-view.c:846)
==25455==    by 0x414F656: wbv_save_to_uri (workbook-view.c:883)
==25455==    by 0x414F874: wb_view_save_as (workbook-view.c:919)
==25455==  Address 0x7d937f8 is 0 bytes inside a block of size 8 free'd
==25455==    at 0x402265C: free (vg_replace_malloc.c:323)
==25455==    by 0x475D8B0: g_free (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x7DCACBE: two_way_table_put (ms-excel-util.c:131)
==25455==    by 0x7DE63EA: cb_cell_pre_pass (ms-excel-write.c:2509)
==25455==    by 0x4748632: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x4105EED: sheet_cell_foreach (sheet.c:3085)
==25455==    by 0x7DE64CA: gather_styles (ms-excel-write.c:2536)
==25455==    by 0x7DEDF9B: pre_pass (ms-excel-write.c:5058)
==25455==    by 0x7DF13B7: excel_write_state_new (ms-excel-write.c:5914)
==25455==    by 0x7DC3DBD: excel_save (boot.c:241)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455== 
==25455== Invalid read of size 4
==25455==    at 0x7DE6AC1: build_xf_data (ms-excel-write.c:2744)
==25455==    by 0x7DE78EC: excel_write_XFs (ms-excel-write.c:3049)
==25455==    by 0x7DF0170: excel_write_workbook (ms-excel-write.c:5582)
==25455==    by 0x7DF0B1F: excel_write_v8 (ms-excel-write.c:5734)
==25455==    by 0x7DC3EB0: excel_save (boot.c:256)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)
==25455==    by 0x45D1BD3: go_plugin_file_saver_save (go-plugin-service.c:749)
==25455==    by 0x45D4BBE: go_file_saver_save (file.c:700)
==25455==    by 0x414F4A7: wbv_save_to_output (workbook-view.c:846)
==25455==    by 0x414F656: wbv_save_to_uri (workbook-view.c:883)
==25455==    by 0x414F874: wb_view_save_as (workbook-view.c:919)
==25455==  Address 0x7d937fc is 4 bytes inside a block of size 8 free'd
==25455==    at 0x402265C: free (vg_replace_malloc.c:323)
==25455==    by 0x475D8B0: g_free (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x7DCACBE: two_way_table_put (ms-excel-util.c:131)
==25455==    by 0x7DE63EA: cb_cell_pre_pass (ms-excel-write.c:2509)
==25455==    by 0x4748632: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1600.3)
==25455==    by 0x4105EED: sheet_cell_foreach (sheet.c:3085)
==25455==    by 0x7DE64CA: gather_styles (ms-excel-write.c:2536)
==25455==    by 0x7DEDF9B: pre_pass (ms-excel-write.c:5058)
==25455==    by 0x7DF13B7: excel_write_state_new (ms-excel-write.c:5914)
==25455==    by 0x7DC3DBD: excel_save (boot.c:241)
==25455==    by 0x7DC409F: excel_dsf_file_save (boot.c:291)
==25455==    by 0x45CFB75: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:323)

Comment 1 sum1 2008-06-10 16:28:54 UTC

Created attachment 112483 [details]
tsv file

Comment 2 Morten Welinder 2008-06-11 18:39:26 UTC

This is HEAD only and triggered by the recent fix to make sure we export
strings that look like expressions or values with a single quote.

The problem appears to be in two_way_table_put which does...


...
		} else if (table->key_destroy_func)
			(table->key_destroy_func) (key);
		g_ptr_array_add (table->idx_to_key, key);
...

i.e., we add an invalid (==freed) key to the table.

Comment 3 Morten Welinder 2008-06-11 18:49:55 UTC

Created attachment 112569 [details] [review]
Tentative patch

Comment 4 Morten Welinder 2008-06-12 20:17:23 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.