After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 540697 - Crash in xl_chart_import_error_bar()
Crash in xl_chart_import_error_bar()
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other All
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2008-06-28 22:57 UTC by sum1
Modified: 2008-06-29 13:15 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
fuzzed chart-tests-excel.xls (173.50 KB, application/vnd.ms-excel)
2008-06-28 22:59 UTC, sum1
Details

Description sum1 2008-06-28 22:57:54 UTC
Version: r16680
OS: Ubuntu Hardy

The upcoming sample is a fuzzed version of chart-tests-excel.xls.

Steps to reproduce:
- Load the upcoming attachment in Gnumeric to trigger a crash


Valgrind output:

==20443== Invalid read of size 4
==20443==    at 0x7E3F30A: xl_chart_import_error_bar (ms-chart.c:3234)
==20443==    by 0x7E406C6: ms_excel_chart_read (ms-chart.c:3609)
==20443==    by 0x7E40C49: ms_excel_chart_read_BOF (ms-chart.c:3726)
==20443==    by 0x7E35977: ms_read_OBJ (ms-obj.c:1276)
==20443==    by 0x7E04BAE: ms_escher_read_ClientData (ms-escher.c:1993)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E02D27: ms_escher_read_SpContainer (ms-escher.c:507)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E047D4: ms_escher_read_SpgrContainer (ms-escher.c:1933)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E047FE: ms_escher_read_DgContainer (ms-escher.c:1938)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==  Address 0x57d2e10 is 0 bytes after a block of size 64 alloc'd
==20443==    at 0x4022AB8: malloc (vg_replace_malloc.c:207)
==20443==    by 0x4022BFC: realloc (vg_replace_malloc.c:429)
==20443==    by 0x4CCC904: g_realloc (gmem.c:170)
==20443==    by 0x4C9EAE7: g_ptr_array_maybe_expand (garray.c:414)
==20443==    by 0x4C9EB49: g_ptr_array_add (garray.c:576)
==20443==    by 0x7E3B056: xl_chart_read_series (ms-chart.c:1939)
==20443==    by 0x7E401E7: ms_excel_chart_read (ms-chart.c:3507)
==20443==    by 0x7E40C49: ms_excel_chart_read_BOF (ms-chart.c:3726)
==20443==    by 0x7E35977: ms_read_OBJ (ms-obj.c:1276)
==20443==    by 0x7E04BAE: ms_escher_read_ClientData (ms-escher.c:1993)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E02D27: ms_escher_read_SpContainer (ms-escher.c:507)
==20443== 
==20443== Invalid read of size 4
==20443==    at 0x7E3F33D: xl_chart_import_error_bar (ms-chart.c:3242)
==20443==    by 0x7E406C6: ms_excel_chart_read (ms-chart.c:3609)
==20443==    by 0x7E40C49: ms_excel_chart_read_BOF (ms-chart.c:3726)
==20443==    by 0x7E35977: ms_read_OBJ (ms-obj.c:1276)
==20443==    by 0x7E04BAE: ms_escher_read_ClientData (ms-escher.c:1993)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E02D27: ms_escher_read_SpContainer (ms-escher.c:507)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E047D4: ms_escher_read_SpgrContainer (ms-escher.c:1933)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E047FE: ms_escher_read_DgContainer (ms-escher.c:1938)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
==20443== 
==20443== Process terminating with default action of signal 11 (SIGSEGV)
==20443==  Access not within mapped region at address 0x40
==20443==    at 0x7E3F33D: xl_chart_import_error_bar (ms-chart.c:3242)
==20443==    by 0x7E406C6: ms_excel_chart_read (ms-chart.c:3609)
==20443==    by 0x7E40C49: ms_excel_chart_read_BOF (ms-chart.c:3726)
==20443==    by 0x7E35977: ms_read_OBJ (ms-obj.c:1276)
==20443==    by 0x7E04BAE: ms_escher_read_ClientData (ms-escher.c:1993)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E02D27: ms_escher_read_SpContainer (ms-escher.c:507)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E047D4: ms_escher_read_SpgrContainer (ms-escher.c:1933)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)
==20443==    by 0x7E047FE: ms_escher_read_DgContainer (ms-escher.c:1938)
==20443==    by 0x7E0516D: ms_escher_read_container (ms-escher.c:2099)


Backtrace:

Program received signal SIGSEGV, Segmentation fault.

Thread 3061226080 (LWP 20436)

  • #0 xl_chart_import_error_bar
    at ms-chart.c line 3242
  • #1 ms_excel_chart_read
    at ms-chart.c line 3609
  • #2 ms_excel_chart_read_BOF
    at ms-chart.c line 3726
  • #3 ms_read_OBJ
    at ms-obj.c line 1276
  • #4 ms_escher_read_ClientData
    at ms-escher.c line 1993
  • #5 ms_escher_read_container
    at ms-escher.c line 2099
  • #6 ms_escher_read_SpContainer
    at ms-escher.c line 507
  • #7 ms_escher_read_container
    at ms-escher.c line 2099
  • #8 ms_escher_read_SpgrContainer
    at ms-escher.c line 1933
  • #9 ms_escher_read_container
    at ms-escher.c line 2099
  • #10 ms_escher_read_DgContainer
    at ms-escher.c line 1938
  • #11 ms_escher_read_container
    at ms-escher.c line 2099
  • #12 ms_escher_parse
    at ms-escher.c line 2166
  • #13 excel_read_sheet
    at ms-excel-read.c line 6233
  • #14 excel_read_BOF
    at ms-excel-read.c line 6516
  • #15 excel_read_workbook
    at ms-excel-read.c line 6599
  • #16 excel_file_open
    at boot.c line 191
  • #17 go_plugin_loader_module_func_file_open
    at go-plugin-loader-module.c line 239
  • #18 go_plugin_file_opener_open
  • #19 go_file_opener_open
    at file.c line 299
  • #20 wb_view_new_from_input
    at workbook-view.c line 1226
  • #21 wb_view_new_from_uri
    at workbook-view.c line 1280
  • #22 main
    at main-application.c line 417

Comment 1 sum1 2008-06-28 22:59:58 UTC
Created attachment 113588 [details]
fuzzed chart-tests-excel.xls
Comment 2 Morten Welinder 2008-06-29 13:15:28 UTC
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.