After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 704102 - Segfault in sc_parse_format_set_type on a corrupted (fuzzed) sc file
Segfault in sc_parse_format_set_type on a corrupted (fuzzed) sc file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-07-12 14:40 UTC by jutaky
Modified: 2013-07-15 18:32 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-07-12 14:40:22 UTC 
Segfault in sc_parse_format_set_type on a corrupted (fuzzed) sc file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_1483_3.sc

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe6a9debf in sc_parse_format_set_type (state=0x7fffffffe3d0, type=-119581439, col_from=228, col_to=228) at sc.c:467
467		char const *o_format = g_ptr_array_index(state->formats, type);
(gdb) bt

+ Trace 232231

  • #0 sc_parse_format_set_type
    at sc.c line 467
  • #1 sc_parse_format
    at sc.c line 528
  • #2 sc_parse_line
    at sc.c line 905
  • #3 sc_parse_sheet
    at sc.c line 929
  • #4 sc_file_open
    at sc.c line 1036
  • #5 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #6 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #7 go_file_opener_open
    at app/file.c line 417
  • #8 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #9 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #10 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Morten Welinder 2013-07-15 18:32:59 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.