After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 512984 - Null pointer crash in excel_read_EXTERNSHEET_v8() when reading malformed file
Null pointer crash in excel_read_EXTERNSHEET_v8() when reading malformed file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other All
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2008-01-30 02:15 UTC by sum1
Modified: 2008-01-30 21:48 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
mathfuns.xls (fuzzed) (39.00 KB, application/vnd.ms-excel)
2008-01-30 02:17 UTC, sum1 		  Details
potential patch (434 bytes, patch)
2008-01-30 02:17 UTC, sum1 		none Details | Review

Description sum1 2008-01-30 02:15:17 UTC 
Version: trunk (r16301)
OS: Ubuntu Gutsy

The upcoming attachment was created by running mathfuns.xls through zzuf (http://sam.zoy.org/zzuf/), a multi-purpose fuzzer, to see how well Gnumeric handles corrupt files.


Steps to reproduce:
- Load the upcoming attachment in Gnumeric to trigger a crash


Backtrace:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 187301

Thread NaN (LWP 11272)

  • #0 excel_read_EXTERNSHEET_v8
    at ms-excel-read.c line 5409
  • #1 excel_read_workbook
    at ms-excel-read.c line 6303
  • #2 excel_file_open
    at boot.c line 191
  • #3 go_plugin_loader_module_func_file_open
    at go-plugin-loader-module.c line 239
  • #4 go_plugin_file_opener_open
    at go-plugin-service.c line 476
  • #5 go_file_opener_open
    at file.c line 294
  • #6 wb_view_new_from_input
    at workbook-view.c line 1212
  • #7 wb_view_new_from_uri
    at workbook-view.c line 1264
  • #8 main
    at main-application.c line 395 






Comment 1


sum1





          2008-01-30 02:17:06 UTC
        



Created attachment 104001 [details]
mathfuns.xls (fuzzed)






Comment 2


sum1





          2008-01-30 02:17:38 UTC
        



Created attachment 104002 [details] [review]
potential patch






Comment 3


Morten Welinder





          2008-01-30 02:54:09 UTC
        



Fixed somewhat differently, but in a more robust way.  We need to verify
that we have the right number of bytes in the record.

(head+stable)







Comment 4


Morten Welinder





          2008-01-30 16:51:11 UTC
        



For the record, how are you running zzuf tool?







Comment 5


sum1





          2008-01-30 21:48:57 UTC
        



Right now, I'm using a crude shell script to corrupt the files from gnumeric/samples:

# * to pick up the sc samples
for file in *
 do
  for a in 0 1 2 3 4 5 6 7 8 9
   do
    for b in 0 1 2 3 4 5 6 7 8 9 
     do
      echo :"$file""$a""$b" >> fuzzlog

      # this script will fuzz 0.0% (-r.000) - 9.9% (-r.099) of the file's bytes
      ~/local/bin/zzuf -b2000- -r.0"$a""$b" < "$file" > "$file""$a""$b"
      ~/local/bin/ssconvert "$file""$a""$b" "$file""$a""$b".xls >> fuzzlog 2>&1
      # note: the fuzzed files are not cleaned up
     done
   done
 done


There are a number of ways this testing can be improved:

- Export the fuzzed files to every format, not just xls.
- Experiment with different header offsets for each file format by using the -b switch, which allows you to ignore certain byte ranges (-b2000- was just a guess).
- Fuzz the file headers.
- Use -P and -R to blacklist/whitelist certain characters to make the corruption more realistic.
- Reduce the rate of fuzzing to corrupt the files more subtly.
- See if different fuzzing modes (-f switch) produce more bugs.


I don't know much about spreadsheet formats, so my testing isn't very smart yet :).  If you have any suggestions, I'd be happy to hear them.