Bug 568994 – Null pointer crash in oo_table_start()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 568994 - Null pointer crash in oo_table_start()


Summary:	Null pointer crash in oo_table_start()


Status:	RESOLVED FIXED

Product:	libgsf
Classification:	Core
Component:	General
Version:	1.14.x
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-01-24 16:23 UTC by sum1
Modified:	2009-01-26 18:53 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
fuzzed ods file (4.61 KB, application/vnd.oasis.opendocument.spreadsheet) 2009-01-24 16:24 UTC, sum1	Details

Description sum1 2009-01-24 16:23:44 UTC

Version: r17090
OS: Ubuntu Intrepid

The upcoming .ods attachment is a fuzzed version of the file from
http://bugs.kde.org/show_bug.cgi?id=136931.


Steps to reproduce:
- Import the upcoming, fuzzed attachment


Partial console output (XML criticals and general warnings ignored):

CRITICAL **: gsf_xml_in_end_document: assertion `state->pub.node == &state->pub.doc->root_node->pub' failed
CRITICAL **: oo_style: assertion `state->cur_style_type == OO_STYLE_UNKNOWN' failed


Backtrace:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 211828

Thread 3067520768 (LWP 31112)

#0 oo_table_start
at openoffice-read.c line 528
#1 push_child
at gsf-libxml.c line 601
#2 lookup_child
at gsf-libxml.c line 638
#3 gsf_xml_in_start_element
at gsf-libxml.c line 708
#4 xmlParseStartTag
from /usr/lib/libxml2.so.2
#5 xmlParseElement
from /usr/lib/libxml2.so.2
#6 xmlParseContent
from /usr/lib/libxml2.so.2
#7 xmlParseElement
from /usr/lib/libxml2.so.2
#8 xmlParseContent
from /usr/lib/libxml2.so.2
#9 xmlParseElement
from /usr/lib/libxml2.so.2
#10 xmlParseContent
from /usr/lib/libxml2.so.2
#11 xmlParseElement
from /usr/lib/libxml2.so.2
#12 xmlParseDocument
from /usr/lib/libxml2.so.2
#13 gsf_xml_in_doc_parse
at gsf-libxml.c line 1180
#14 openoffice_file_open
at openoffice-read.c line 2987
#15 go_plugin_loader_module_func_file_open
at go-plugin-loader-module.c line 239
#16 go_plugin_file_opener_open
at go-plugin-service.c line 476
#17 go_file_opener_open
at file.c line 299
#18 wb_view_new_from_input
at workbook-view.c line 1230
#19 wb_view_new_from_uri
at workbook-view.c line 1284
#20 main
at main-application.c line 444

Comment 1 sum1 2009-01-24 16:24:31 UTC

Created attachment 127167 [details]
fuzzed ods file

Comment 2 Morten Welinder 2009-01-26 18:26:13 UTC

Looks like a libgsf problem.

==24787== 
==24787== Use of uninitialised value of size 8
==24787==    at 0x5D51424: gsf_xml_in_characters (gsf-libxml.c:832)
==24787==    by 0x6C848F5: xmlParseCharData (in /usr/lib64/libxml2.so.2.6.32)
==24787==    by 0x6C884C7: xmlParseContent (in /usr/lib64/libxml2.so.2.6.32)
==24787==    by 0x6C88110: xmlParseElement (in /usr/lib64/libxml2.so.2.6.32)
==24787==    by 0x6C8EAE1: xmlParseDocument (in /usr/lib64/libxml2.so.2.6.32)
==24787==    by 0x5D5218A: gsf_xml_in_doc_parse (gsf-libxml.c:1180)
==24787==    by 0x5D59082: gsf_opendoc_metadata_read (gsf-opendoc-utils.c:207)
==24787==    by 0xEB46E75: openoffice_file_open (openoffice-read.c:2965)
==24787==    by 0x53AC5B2: go_plugin_file_opener_open (go-plugin-service.c:476)
==24787==    by 0x4F5572D: wb_view_new_from_input (workbook-view.c:1230)
==24787==    by 0x4F55969: wb_view_new_from_uri (workbook-view.c:1284)
==24787==    by 0x404CE7: main (main-application.c:444)
==24787==

Comment 3 Morten Welinder 2009-01-26 18:53:55 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.

(Gnumeric part fixed too.)