After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 703306 - Range bigger than sheet on a corrupted (fuzzed) xls file
Range bigger than sheet on a corrupted (fuzzed) xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-29 11:18 UTC by jutaky
Modified: 2013-07-12 15:41 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-29 11:18:45 UTC 
Heap-buffer-overflow, identified by Address Sanitizer, in g_hash_table_lookup_node on a corrupted (fuzzed) xls file

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Seems to affect gnumeric 1.12.2 as well.

Test case: http://jutaky.com/fuzzing/gnumeric_case_30057_51729.xls

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3b31eac in g_hash_table_lookup_node (hash_table=0x71, key=0x7fffffffdcc0, hash_return=0x7fffffffdc88) at ghash.c:365
365	  hash_value = hash_table->hash_func (key);
(gdb) bt

+ Trace 232167

  • #0 g_hash_table_lookup_node
    at ghash.c line 365
  • #1 g_hash_table_lookup
    at ghash.c line 1076
  • #2 link_range_dep
    at dependent.c line 950
  • #3 link_unlink_range_dep
    at dependent.c line 1001
  • #4 link_unlink_cellrange_dep
    at dependent.c line 1042
  • #5 link_unlink_expr_dep
    at dependent.c line 1068
  • #6 link_unlink_expr_dep
    at dependent.c line 1092
  • #7 link_unlink_expr_dep
    at dependent.c line 1057
  • #8 link_unlink_expr_dep
    at dependent.c line 1092
  • #9 dependent_link
    at dependent.c line 1504
  • #10 gnm_cell_set_expr_and_value
    at cell.c line 194
  • #11 excel_read_FORMULA
    at ms-excel-read.c line 3031
  • #12 excel_read_sheet
    at ms-excel-read.c line 6566
  • #13 excel_read_BOF
    at ms-excel-read.c line 6990
  • #14 excel_read_workbook
    at ms-excel-read.c line 7080
  • #15 excel_enc_file_open
    at boot.c line 193
  • #16 excel_file_open
    at boot.c line 250
  • #17 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #18 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #19 go_file_opener_open
    at app/file.c line 417
  • #20 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #21 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #22 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 jutaky 2013-07-09 14:25:47 UTC 
Has this report fallen through cracks? :)
Comment 2 Morten Welinder 2013-07-09 15:46:39 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.
Comment 3 Morten Welinder 2013-07-09 15:47:57 UTC 
Bugzilla doesn't have cracks.  On the other hand, we have been known to
take 10+ years to get around fixing things.
Comment 4 jutaky 2013-07-12 14:26:21 UTC 
Got a test case which produces similar backtrace.

A new bug which crashes at the same place or the same one?

http://jutaky.com/fuzzing/gnumeric_case_1226_12520.gnumeric

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3b2feac in g_hash_table_lookup_node (hash_table=0x91, key=0x7fffffffd8f0, hash_return=0x7fffffffd8b8) at ghash.c:365
365	  hash_value = hash_table->hash_func (key);
(gdb) bt

+ Trace 232230

  • #0 g_hash_table_lookup_node
    at ghash.c line 365
  • #1 g_hash_table_lookup
    at ghash.c line 1076
  • #2 link_range_dep
    at dependent.c line 950
  • #3 link_unlink_range_dep
    at dependent.c line 1001
  • #4 link_unlink_cellrange_dep
    at dependent.c line 1039
  • #5 link_unlink_expr_dep
    at dependent.c line 1068
  • #6 link_unlink_expr_dep
    at dependent.c line 1092
  • #7 dependent_link
    at dependent.c line 1504
  • #8 gnm_cell_set_expr
    at cell.c line 265
  • #9 xml_sax_cell_content
    at xml-sax-read.c line 2083
  • #10 gsf_xml_in_end_element
    at gsf-libxml.c line 844
  • #11 xmlParseEndTag1
    at parser.c line 8683
  • #12 xmlParseElement__internal_alias
    at parser.c line 10086
  • #13 xmlParseContent__internal_alias
    at parser.c line 9885
  • #14 xmlParseElement__internal_alias
    at parser.c line 10058
  • #15 xmlParseContent__internal_alias
    at parser.c line 9885
  • #16 xmlParseElement__internal_alias
    at parser.c line 10058
  • #17 xmlParseContent__internal_alias
    at parser.c line 9885
  • #18 xmlParseElement__internal_alias
    at parser.c line 10058
  • #19 xmlParseContent__internal_alias
    at parser.c line 9885
  • #20 xmlParseElement__internal_alias
    at parser.c line 10058
  • #21 xmlParseDocument__internal_alias
    at parser.c line 10742
  • #22 gsf_xml_in_doc_parse
    at gsf-libxml.c line 1289
  • #23 read_file_common
    at xml-sax-read.c line 3350
  • #24 gnm_xml_file_open
    at xml-sax-read.c line 3479
  • #25 go_file_opener_open_real
    at app/file.c line 159
  • #26 go_file_opener_open
    at app/file.c line 417
  • #27 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #28 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #29 main
    at main-application.c line 321 






Comment 5


Morten Welinder





          2013-07-12 15:20:29 UTC
        



Same victim, different cause.  Will look.






Comment 6


Morten Welinder





          2013-07-12 15:41:49 UTC
        



New problem is different and has little to do with fuzzing.  It is
now bug 704109.

Closing this.