After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 705421 - Segfault in go_format_token2 on saving a fuzzed ods file
Segfault in go_format_token2 on saving a fuzzed ods file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-08-03 19:15 UTC by jutaky
Modified: 2013-08-03 20:50 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-08-03 19:15:43 UTC 
Segfault in go_format_token2 on saving a fuzzed ods file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_4266_120.2ods.ods

Backtrace from "ssconvert gnumeric_case_4266_120.2ods.ods out.ods"

0x00007ffff755555f in go_format_token2 (pstr=0x7fffffffddf0, ptt=0x7fffffffddec, localized=0) at utils/go-format.c:922
922		t = *(guchar *)str;
(gdb) bt

+ Trace 232336

  • #0 go_format_token2
    at utils/go-format.c line 922
  • #1 go_format_token
    at utils/go-format.c line 1122
  • #2 go_format_output_number_to_odf
    at utils/go-format.c line 8089
  • #3 go_format_output_to_odf
    at utils/go-format.c line 8683
  • #4 odf_write_xl_style
    at openoffice-write.c line 4884
  • #5 odf_write_this_xl_style_neg
    at openoffice-write.c line 4898
  • #6 g_hash_table_foreach
    at ghash.c line 1526
  • #7 odf_write_office_styles
    at openoffice-write.c line 5295
  • #8 odf_write_styles
    at openoffice-write.c line 5529
  • #9 openoffice_file_save_real
    at openoffice-write.c line 8347
  • #10 odf_file_save
    at openoffice-write.c line 8442
  • #11 go_plugin_loader_module_func_file_save
    at app/go-plugin-loader-module.c line 366
  • #12 go_plugin_file_saver_save
    at app/go-plugin-service.c line 948
  • #13 go_file_saver_save
    at app/file.c line 848
  • #14 wbv_save_to_output
    at workbook-view.c line 1055
  • #15 wb_view_save_to_uri
    at workbook-view.c line 1092
  • #16 wb_view_save_as
    at workbook-view.c line 1128
  • #17 convert
    at ssconvert.c line 788
  • #18 main
    at ssconvert.c line 855 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-08-03 20:50:11 UTC 
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.