Bug 575452 – Invalid reads during xls import

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 575452 - Invalid reads during xls import


Summary:	Invalid reads during xls import


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-03-15 19:24 UTC by sum1
Modified:	2009-03-16 19:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
zipped xls file (380.87 KB, application/zip) 2009-03-15 19:27 UTC, sum1		Details
Tentative patch (6.11 KB, patch) 2009-03-16 15:10 UTC, Morten Welinder	none	Details \| Review

Description sum1 2009-03-15 19:24:25 UTC

Version: r17210
OS: Ubuntu Intrepid

The upcoming .xls attachment was created by resaving the file from http://www.openoffice.org/issues/show_bug.cgi?id=2033 with Gnumeric.


Steps to reproduce:
- Import the upcoming .xls attachment


Valgrind output:

==18390== Invalid read of size 1
==18390==    at 0x500DB80: g_utf8_offset_to_pointer (gutf8.c:301)
==18390==    by 0x7E06AE2: excel_read_LABEL_markup (ms-excel-read.c:1085)
==18390==    by 0x7E1611D: excel_read_LABEL (ms-excel-read.c:5821)
==18390==    by 0x7E17BCB: excel_read_sheet (ms-excel-read.c:6240)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390==    by 0x449286D: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==18390==    by 0x449429B: go_plugin_file_opener_open (go-plugin-service.c:476)
==18390==    by 0x4496BEB: go_file_opener_open (file.c:299)
==18390==    by 0x4157D75: wb_view_new_from_input (workbook-view.c:1057)
==18390==    by 0x4157F0B: wb_view_new_from_uri (workbook-view.c:1111)
==18390==  Address 0xc1236b7 is 0 bytes after a block of size 87 alloc'd
==18390==    at 0x4025D2E: malloc (vg_replace_malloc.c:207)
==18390==    by 0x4FE5D63: g_malloc (gmem.c:131)
==18390==    by 0x500EA93: g_utf16_to_utf8 (gutf8.c:1162)
==18390==    by 0x7E063C7: excel_get_chars (ms-excel-read.c:916)
==18390==    by 0x7E065EC: excel_get_text (ms-excel-read.c:975)
==18390==    by 0x7E066ED: excel_get_text_fixme (ms-excel-read.c:1002)
==18390==    by 0x7E16079: excel_read_LABEL (ms-excel-read.c:5810)
==18390==    by 0x7E17BCB: excel_read_sheet (ms-excel-read.c:6240)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390==    by 0x449286D: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==18390== 
==18390== Invalid read of size 1
==18390==    at 0x500DB93: g_utf8_offset_to_pointer (gutf8.c:300)
==18390==    by 0x7E06AE2: excel_read_LABEL_markup (ms-excel-read.c:1085)
==18390==    by 0x7E1611D: excel_read_LABEL (ms-excel-read.c:5821)
==18390==    by 0x7E17BCB: excel_read_sheet (ms-excel-read.c:6240)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390==    by 0x449286D: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==18390==    by 0x449429B: go_plugin_file_opener_open (go-plugin-service.c:476)
==18390==    by 0x4496BEB: go_file_opener_open (file.c:299)
==18390==    by 0x4157D75: wb_view_new_from_input (workbook-view.c:1057)
==18390==    by 0x4157F0B: wb_view_new_from_uri (workbook-view.c:1111)
==18390==  Address 0xc1236b8 is 1 bytes after a block of size 87 alloc'd
==18390==    at 0x4025D2E: malloc (vg_replace_malloc.c:207)
==18390==    by 0x4FE5D63: g_malloc (gmem.c:131)
==18390==    by 0x500EA93: g_utf16_to_utf8 (gutf8.c:1162)
==18390==    by 0x7E063C7: excel_get_chars (ms-excel-read.c:916)
==18390==    by 0x7E065EC: excel_get_text (ms-excel-read.c:975)
==18390==    by 0x7E066ED: excel_get_text_fixme (ms-excel-read.c:1002)
==18390==    by 0x7E16079: excel_read_LABEL (ms-excel-read.c:5810)
==18390==    by 0x7E17BCB: excel_read_sheet (ms-excel-read.c:6240)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390==    by 0x449286D: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
==18390== 
==18390== Use of uninitialised value of size 4
==18390==    at 0x500DB86: g_utf8_offset_to_pointer (gutf8.c:301)
==18390==    by 0x7DFFF04: ms_container_read_markup (ms-container.c:266)
==18390==    by 0x7E31A90: ms_read_TXO (ms-obj.c:445)
==18390==    by 0x7E02CFE: ms_escher_read_ClientTextbox (ms-escher.c:1963)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E01075: ms_escher_read_SpContainer (ms-escher.c:507)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E03725: ms_escher_parse (ms-escher.c:2166)
==18390==    by 0x7E17C20: excel_read_sheet (ms-excel-read.c:6250)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390== 
==18390== Invalid read of size 1
==18390==    at 0x500DB93: g_utf8_offset_to_pointer (gutf8.c:300)
==18390==    by 0x7DFFF04: ms_container_read_markup (ms-container.c:266)
==18390==    by 0x7E31A90: ms_read_TXO (ms-obj.c:445)
==18390==    by 0x7E02CFE: ms_escher_read_ClientTextbox (ms-escher.c:1963)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E01075: ms_escher_read_SpContainer (ms-escher.c:507)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E03725: ms_escher_parse (ms-escher.c:2166)
==18390==    by 0x7E17C20: excel_read_sheet (ms-excel-read.c:6250)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390==  Address 0xc1b8720 is 0 bytes after a block of size 32 alloc'd
==18390==    at 0x4025E4C: realloc (vg_replace_malloc.c:429)
==18390==    by 0x4FE5C49: g_realloc (gmem.c:170)
==18390==    by 0x5000E9E: g_string_maybe_expand (gstring.c:359)
==18390==    by 0x5001A88: g_string_insert_len (gstring.c:694)
==18390==    by 0x5001ED0: g_string_append (gstring.c:815)
==18390==    by 0x7E319DE: ms_read_TXO (ms-obj.c:435)
==18390==    by 0x7E02CFE: ms_escher_read_ClientTextbox (ms-escher.c:1963)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E01075: ms_escher_read_SpContainer (ms-escher.c:507)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E03725: ms_escher_parse (ms-escher.c:2166)
==18390==    by 0x7E17C20: excel_read_sheet (ms-excel-read.c:6250)
==18390== 
==18390== Invalid read of size 1
==18390==    at 0x500DB80: g_utf8_offset_to_pointer (gutf8.c:301)
==18390==    by 0x7DFFF04: ms_container_read_markup (ms-container.c:266)
==18390==    by 0x7E31A90: ms_read_TXO (ms-obj.c:445)
==18390==    by 0x7E02CFE: ms_escher_read_ClientTextbox (ms-escher.c:1963)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E01075: ms_escher_read_SpContainer (ms-escher.c:507)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E03725: ms_escher_parse (ms-escher.c:2166)
==18390==    by 0x7E17C20: excel_read_sheet (ms-excel-read.c:6250)
==18390==    by 0x7E1881E: excel_read_BOF (ms-excel-read.c:6533)
==18390==    by 0x7E18F9F: excel_read_workbook (ms-excel-read.c:6616)
==18390==    by 0x7DFCD22: excel_file_open (boot.c:192)
==18390==  Address 0xc1b8721 is 1 bytes after a block of size 32 alloc'd
==18390==    at 0x4025E4C: realloc (vg_replace_malloc.c:429)
==18390==    by 0x4FE5C49: g_realloc (gmem.c:170)
==18390==    by 0x5000E9E: g_string_maybe_expand (gstring.c:359)
==18390==    by 0x5001A88: g_string_insert_len (gstring.c:694)
==18390==    by 0x5001ED0: g_string_append (gstring.c:815)
==18390==    by 0x7E319DE: ms_read_TXO (ms-obj.c:435)
==18390==    by 0x7E02CFE: ms_escher_read_ClientTextbox (ms-escher.c:1963)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E01075: ms_escher_read_SpContainer (ms-escher.c:507)
==18390==    by 0x7E034C4: ms_escher_read_container (ms-escher.c:2099)
==18390==    by 0x7E03725: ms_escher_parse (ms-escher.c:2166)
==18390==    by 0x7E17C20: excel_read_sheet (ms-excel-read.c:6250)
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;
EXCEL : Invalid fbt = 0x0

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: SpgrContainer;

(/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): gnumeric:escher-WARNING **: DgContainer;

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

** (/home/s/cvs/gnumeric/src/.libs/lt-gnumeric:18390): WARNING **: error: Invalid byte sequence in conversion input

Comment 1 sum1 2009-03-15 19:27:23 UTC

Created attachment 130706 [details]
zipped xls file

Comment 2 Morten Welinder 2009-03-16 15:10:18 UTC

Created attachment 130752 [details] [review]
Tentative patch

Comment 3 Morten Welinder 2009-03-16 19:51:27 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.