GNOME Bugzilla – Bug 625726
Invalid write when importing malformed guppi graph
Last modified: 2010-07-31 18:22:56 UTC
Created attachment 166892 [details] malformed .gnumeric file Steps to reproduce: - Import the .gnumeric attachment Valgrind output: ==16005== Invalid write of size 4 ==16005== at 0x416694A: vector_end (sheet-object-graph.c:803) ==16005== by 0x4555287: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==16005== by 0x45DF201: ??? (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E601F: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E6439: xmlParseContent (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E5F4B: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E6439: xmlParseContent (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E5F4B: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E6439: xmlParseContent (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E5F4B: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E6439: xmlParseContent (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E5F4B: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== Address 0x5f9d82c is 4 bytes before a block of size 128 alloc'd ==16005== at 0x4024D12: realloc (vg_replace_malloc.c:476) ==16005== by 0x4E1B1DE: g_realloc (gmem.c:170) ==16005== by 0x4DEC562: g_ptr_array_maybe_expand (garray.c:593) ==16005== by 0x4DEC7AC: g_ptr_array_set_size (garray.c:611) ==16005== by 0x41668DB: vector_start (sheet-object-graph.c:792) ==16005== by 0x4554FC1: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==16005== by 0x45550F8: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==16005== by 0x4555856: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==16005== by 0x45E5D27: xmlParseStartTag (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E606F: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E6439: xmlParseContent (in /usr/lib/libxml2.so.2.7.5) ==16005== by 0x45E5F4B: xmlParseElement (in /usr/lib/libxml2.so.2.7.5) ==16005== (/home/s/local/bin/gnumeric:16005): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed
Created attachment 166893 [details] [review] proposed patch, please test
There's still some brokenness with malformed files (new attachment coming up): ==19691== Conditional jump or move depends on uninitialised value(s) ==19691== at 0x4DA4318: g_object_ref (gobject.c:2384) ==19691== by 0x4166F0F: dim_start (sheet-object-graph.c:891) ==19691== by 0x4554FC1: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x45550F8: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x4555856: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x45E5D27: xmlParseStartTag (parser.c:8157) ==19691== by 0x45E606F: xmlParseElement (parser.c:9461) ==19691== by 0x45E6439: xmlParseContent (parser.c:9371) ==19691== by 0x45E5F4B: xmlParseElement (parser.c:9542) ==19691== by 0x45E6439: xmlParseContent (parser.c:9371) ==19691== by 0x45E5F4B: xmlParseElement (parser.c:9542) ==19691== by 0x45E6439: xmlParseContent (parser.c:9371) ==19691== (/home/s/local/bin/ssconvert:19691): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed ==19691== Invalid read of size 4 ==19691== at 0x4166F06: dim_start (sheet-object-graph.c:891) ==19691== by 0x4554FC1: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x45550F8: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x4555856: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x45E5D27: xmlParseStartTag (parser.c:8157) ==19691== by 0x45E606F: xmlParseElement (parser.c:9461) ==19691== by 0x45E6439: xmlParseContent (parser.c:9371) ==19691== by 0x45E5F4B: xmlParseElement (parser.c:9542) ==19691== by 0x45E6439: xmlParseContent (parser.c:9371) ==19691== by 0x45E5F4B: xmlParseElement (parser.c:9542) ==19691== by 0x45E6439: xmlParseContent (parser.c:9371) ==19691== by 0x45E5F4B: xmlParseElement (parser.c:9542) ==19691== Address 0x62fda90 is 0 bytes after a block of size 64 alloc'd ==19691== at 0x4024C1C: malloc (vg_replace_malloc.c:195) ==19691== by 0x4024CA6: realloc (vg_replace_malloc.c:476) ==19691== by 0x4E1B1DE: g_realloc (gmem.c:170) ==19691== by 0x4DEC562: g_ptr_array_maybe_expand (garray.c:593) ==19691== by 0x4DEC7AC: g_ptr_array_set_size (garray.c:611) ==19691== by 0x41674C2: gnm_sogg_prep_sax_parser (sheet-object-graph.c:1033) ==19691== by 0x416554F: gnm_sog_prep_sax_parser (sheet-object-graph.c:412) ==19691== by 0x41B68CD: xml_sax_read_obj (xml-sax-read.c:2253) ==19691== by 0x41B6972: xml_sax_object_start (xml-sax-read.c:2273) ==19691== by 0x4554FC1: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x45550F8: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== by 0x4555856: ??? (in /usr/lib/libgsf-1.so.114.0.15) ==19691== (/home/s/local/bin/ssconvert:19691): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed
Created attachment 166895 [details] second malformed file
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.