Bug 577138 – Crash in mps_write_coefficients

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 577138 - Crash in mps_write_coefficients


Summary:	Crash in mps_write_coefficients


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-03-28 23:12 UTC by sum1
Modified:	2009-03-29 00:00 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
fuzzed mps file (3.17 KB, application/x-mps) 2009-03-28 23:13 UTC, sum1	Details

Description sum1 2009-03-28 23:12:04 UTC

Version: r17246
OS: Ubuntu Intrepid

The upcoming file is a fuzzed version of afiro.mps from gnumeric/samples/solver.


Steps to reproduce:
- Import the upcoming .mps attachment to trigger a crash


Valgrind log:
==21565== Invalid read of size 4
==21565==    at 0x7DEF3FC: mps_write_coefficients (mps.c:302)
==21565==    by 0x7DEFC2D: mps_create_sheet (mps.c:463)
==21565==    by 0x7DF025D: mps_file_open (mps.c:640)
==21565==    by 0x4492825: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==21565==    by 0x4494253: go_plugin_file_opener_open (go-plugin-service.c:476)
==21565==    by 0x4496BA3: go_file_opener_open (file.c:299)
==21565==    by 0x4157B85: wb_view_new_from_input (workbook-view.c:1058)
==21565==    by 0x4157D1B: wb_view_new_from_uri (workbook-view.c:1112)
==21565==    by 0x804C0FA: main (main-application.c:413)
==21565==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==21565== 
==21565== Process terminating with default action of signal 11 (SIGSEGV)
==21565==  Access not within mapped region at address 0x8
==21565==    at 0x7DEF3FC: mps_write_coefficients (mps.c:302)
==21565==    by 0x7DEFC2D: mps_create_sheet (mps.c:463)
==21565==    by 0x7DF025D: mps_file_open (mps.c:640)
==21565==    by 0x4492825: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:239)
==21565==    by 0x4494253: go_plugin_file_opener_open (go-plugin-service.c:476)
==21565==    by 0x4496BA3: go_file_opener_open (file.c:299)
==21565==    by 0x4157B85: wb_view_new_from_input (workbook-view.c:1058)
==21565==    by 0x4157D1B: wb_view_new_from_uri (workbook-view.c:1112)
==21565==    by 0x804C0FA: main (main-application.c:413)

Comment 1 sum1 2009-03-28 23:13:15 UTC

Created attachment 131603 [details]
fuzzed mps file

Comment 2 Morten Welinder 2009-03-29 00:00:39 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.