Bug 703052 – Segfault in gnm_so_path_new_view on a corrupted (fuzzed) gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 703052 - Segfault in gnm_so_path_new_view on a corrupted (fuzzed) gnumeric file


Summary:	Segfault in gnm_so_path_new_view on a corrupted (fuzzed) gnumeric file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-06-25 12:37 UTC by jutaky
Modified:	2013-06-26 07:09 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-06-25 12:37:36 UTC

Segfault in gnm_so_path_new_view on a corrupted (fuzzed) gnumeric file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_17712_8528.gnumeric


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff799dfdb in gnm_so_path_new_view (so=0x6cb030, container=0xf08100) at gnm-so-path.c:258
258			item->paths = g_ptr_array_sized_new (sop->paths->len);
(gdb) bt

+ Trace 232142

#0 gnm_so_path_new_view
at gnm-so-path.c line 258
#1 sheet_object_new_view
at sheet-object.c line 694
#2 cb_pane_init_objs
at gnm-pane.c line 824
#3 g_cclosure_marshal_VOID__VOID
at gmarshal.c line 85
#4 g_closure_invoke
at gclosure.c line 777
#5 signal_emit_unlocked_R
at gsignal.c line 3582
#6 g_signal_emit_valist
at gsignal.c line 3326
#7 g_signal_emit
at gsignal.c line 3382
#8 gtk_widget_realize
from /usr/lib/libgtk-3.so.0
#9 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#10 ??
from /usr/lib/libgtk-3.so.0
#11 ??
from /usr/lib/libgtk-3.so.0
#12 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#13 g_type_class_meta_marshalv
at gclosure.c line 997
#14 _g_closure_invoke_va
at gclosure.c line 840
#15 g_signal_emit_valist
at gsignal.c line 3234
#16 g_signal_emit
at gsignal.c line 3382
#17 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#18 ??
from /usr/lib/libgtk-3.so.0
#19 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#20 g_type_class_meta_marshalv
at gclosure.c line 997
#21 _g_closure_invoke_va
at gclosure.c line 840
#22 g_signal_emit_valist
at gsignal.c line 3234
#23 g_signal_emit
at gsignal.c line 3382
#24 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#25 ??
from /usr/lib/libgtk-3.so.0
#26 ??
from /usr/lib/libgtk-3.so.0
#27 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#28 g_type_class_meta_marshalv
at gclosure.c line 997
#29 _g_closure_invoke_va
at gclosure.c line 840
#30 g_signal_emit_valist
at gsignal.c line 3234
#31 g_signal_emit
at gsignal.c line 3382
#32 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#33 ??
from /usr/lib/libgtk-3.so.0
#34 ??
from /usr/lib/libgtk-3.so.0
#35 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#36 g_type_class_meta_marshalv
at gclosure.c line 997
#37 _g_closure_invoke_va
at gclosure.c line 840
#38 g_signal_emit_valist
at gsignal.c line 3234
#39 g_signal_emit
at gsignal.c line 3382
#40 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#41 ??
from /usr/lib/libgtk-3.so.0
#42 ??
from /usr/lib/libgtk-3.so.0
#43 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#44 g_type_class_meta_marshalv
at gclosure.c line 997
#45 _g_closure_invoke_va
at gclosure.c line 840
#46 g_signal_emit_valist
at gsignal.c line 3234
#47 g_signal_emit
at gsignal.c line 3382
#48 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#49 ??
from /usr/lib/libgtk-3.so.0
#50 ??
from /usr/lib/libgtk-3.so.0
#51 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#52 g_type_class_meta_marshalv
at gclosure.c line 997
#53 _g_closure_invoke_va
at gclosure.c line 840
#54 g_signal_emit_valist
at gsignal.c line 3234
#55 g_signal_emit
at gsignal.c line 3382
#56 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#57 ??
from /usr/lib/libgtk-3.so.0
#58 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#59 g_type_class_meta_marshalv
at gclosure.c line 997
#60 _g_closure_invoke_va
at gclosure.c line 840
#61 g_signal_emit_valist
at gsignal.c line 3234
#62 g_signal_emit
at gsignal.c line 3382
#63 gtk_widget_map
from /usr/lib/libgtk-3.so.0
#64 ??
from /usr/lib/libgtk-3.so.0
#65 g_cclosure_marshal_VOID__VOID
at gmarshal.c line 85
#66 g_type_class_meta_marshal
at gclosure.c line 970
#67 g_closure_invoke
at gclosure.c line 777
#68 signal_emit_unlocked_R
at gsignal.c line 3512
#69 g_signal_emit_valist
at gsignal.c line 3326
#70 g_signal_emit
at gsignal.c line 3382
#71 gtk_widget_show
from /usr/lib/libgtk-3.so.0
#72 show_gui
at wbc-gtk.c line 2528
#73 g_idle_dispatch
at gmain.c line 5235
#74 g_main_dispatch
at gmain.c line 3058
#75 g_main_context_dispatch
at gmain.c line 3634
#76 g_main_context_iterate
at gmain.c line 3705
#77 g_main_context_iteration
at gmain.c line 3766
#78 gtk_main_iteration_do
from /usr/lib/libgtk-3.so.0
#79 handle_paint_events
at main-application.c line 115
#80 main
at main-application.c line 346


--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Jean Bréfort 2013-06-26 07:09:40 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.