GNOME Bugzilla – Bug 552006
Invalid reads in gnumeric_sumif
Last modified: 2008-09-12 19:12:36 UTC
Version: r16789 OS: Ubuntu Hardy Steps to reproduce: - Start with a blank workbook - In A2, enter "=sumif(A1,false,-140:44)" (no quotes) Valgrind output: ==13628== Invalid read of size 4 ==13628== at 0x7FF9001: gnumeric_sumif (functions.c:709) ==13628== by 0x40AEA87: function_call_with_exprs (func.c:1247) ==13628== by 0x40A3193: gnm_expr_eval (expr.c:1339) ==13628== by 0x40A6944: gnm_expr_top_eval (expr.c:2858) ==13628== by 0x409C620: gnm_cell_eval_content (dependent.c:1455) ==13628== by 0x40F9C7E: gnm_rendered_value_new (rendered-value.c:210) ==13628== by 0x407C858: gnm_cell_render_value (cell.c:469) ==13628== by 0x407E403: row_calc_spans (cellspan.c:411) ==13628== by 0x4105084: sheet_range_bounding_box (sheet.c:2258) ==13628== by 0x411028C: scg_redraw_range (sheet-control-gui.c:147) ==13628== by 0x410F590: sc_redraw_range (sheet-control.c:89) ==13628== by 0x410258F: sheet_redraw_partial_row (sheet.c:1018) ==13628== Address 0x79d0d88 is 4 bytes after a block of size 20 alloc'd ==13628== at 0x4022AB8: malloc (vg_replace_malloc.c:207) ==13628== by 0x4CD6DCC: g_malloc (gmem.c:131) ==13628== by 0x4CEBFAD: g_slice_alloc (gslice.c:824) ==13628== by 0x4146A41: value_new_array_non_init (value.c:406) ==13628== by 0x4146B50: value_new_array_empty (value.c:433) ==13628== by 0x40A2E78: gnm_expr_eval (expr.c:1270) ==13628== by 0x40AE195: function_call_with_exprs (func.c:1068) ==13628== by 0x40A3193: gnm_expr_eval (expr.c:1339) ==13628== by 0x40A6944: gnm_expr_top_eval (expr.c:2858) ==13628== by 0x409C620: gnm_cell_eval_content (dependent.c:1455) ==13628== by 0x40F9C7E: gnm_rendered_value_new (rendered-value.c:210) ==13628== by 0x407C858: gnm_cell_render_value (cell.c:469) ==13628== ==13628== Invalid read of size 4 ==13628== at 0x7FF9057: gnumeric_sumif (functions.c:715) ==13628== by 0x40AEA87: function_call_with_exprs (func.c:1247) ==13628== by 0x40A3193: gnm_expr_eval (expr.c:1339) ==13628== by 0x40A6944: gnm_expr_top_eval (expr.c:2858) ==13628== by 0x409C620: gnm_cell_eval_content (dependent.c:1455) ==13628== by 0x40F9C7E: gnm_rendered_value_new (rendered-value.c:210) ==13628== by 0x407C858: gnm_cell_render_value (cell.c:469) ==13628== by 0x407E403: row_calc_spans (cellspan.c:411) ==13628== by 0x4105084: sheet_range_bounding_box (sheet.c:2258) ==13628== by 0x411028C: scg_redraw_range (sheet-control-gui.c:147) ==13628== by 0x410F590: sc_redraw_range (sheet-control.c:89) ==13628== by 0x410258F: sheet_redraw_partial_row (sheet.c:1018) ==13628== Address 0x79d0d8c is 8 bytes after a block of size 20 alloc'd ==13628== at 0x4022AB8: malloc (vg_replace_malloc.c:207) ==13628== by 0x4CD6DCC: g_malloc (gmem.c:131) ==13628== by 0x4CEBFAD: g_slice_alloc (gslice.c:824) ==13628== by 0x4146A41: value_new_array_non_init (value.c:406) ==13628== by 0x4146B50: value_new_array_empty (value.c:433) ==13628== by 0x40A2E78: gnm_expr_eval (expr.c:1270) ==13628== by 0x40AE195: function_call_with_exprs (func.c:1068) ==13628== by 0x40A3193: gnm_expr_eval (expr.c:1339) ==13628== by 0x40A6944: gnm_expr_top_eval (expr.c:2858) ==13628== by 0x409C620: gnm_cell_eval_content (dependent.c:1455) ==13628== by 0x40F9C7E: gnm_rendered_value_new (rendered-value.c:210) ==13628== by 0x407C858: gnm_cell_render_value (cell.c:469) ==13628== ==13628== Invalid read of size 4 ==13628== at 0x7FF908F: gnumeric_sumif (functions.c:718) ==13628== by 0x40AEA87: function_call_with_exprs (func.c:1247) ==13628== by 0x40A3193: gnm_expr_eval (expr.c:1339) ==13628== by 0x40A6944: gnm_expr_top_eval (expr.c:2858) ==13628== by 0x409C620: gnm_cell_eval_content (dependent.c:1455) ==13628== by 0x40F9C7E: gnm_rendered_value_new (rendered-value.c:210) ==13628== by 0x407C858: gnm_cell_render_value (cell.c:469) ==13628== by 0x407E403: row_calc_spans (cellspan.c:411) ==13628== by 0x4105084: sheet_range_bounding_box (sheet.c:2258) ==13628== by 0x411028C: scg_redraw_range (sheet-control-gui.c:147) ==13628== by 0x410F590: sc_redraw_range (sheet-control.c:89) ==13628== by 0x410258F: sheet_redraw_partial_row (sheet.c:1018) ==13628== Address 0x79d0d90 is 12 bytes after a block of size 20 alloc'd ==13628== at 0x4022AB8: malloc (vg_replace_malloc.c:207) ==13628== by 0x4CD6DCC: g_malloc (gmem.c:131) ==13628== by 0x4CEBFAD: g_slice_alloc (gslice.c:824) ==13628== by 0x4146A41: value_new_array_non_init (value.c:406) ==13628== by 0x4146B50: value_new_array_empty (value.c:433) ==13628== by 0x40A2E78: gnm_expr_eval (expr.c:1270) ==13628== by 0x40AE195: function_call_with_exprs (func.c:1068) ==13628== by 0x40A3193: gnm_expr_eval (expr.c:1339) ==13628== by 0x40A6944: gnm_expr_top_eval (expr.c:2858) ==13628== by 0x409C620: gnm_cell_eval_content (dependent.c:1455) ==13628== by 0x40F9C7E: gnm_rendered_value_new (rendered-value.c:210) ==13628== by 0x407C858: gnm_cell_render_value (cell.c:469)
Code requires argv[2] to bu NULL or a range.
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.