Bug 708562 – Null pointer crash in gog_moving_avg_update on a fuzzed gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 708562 - Null pointer crash in gog_moving_avg_update on a fuzzed gnumeric file


Summary:	Null pointer crash in gog_moving_avg_update on a fuzzed gnumeric file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-09-22 08:07 UTC by jutaky
Modified:	2013-09-23 07:07 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-09-22 08:07:17 UTC

Null pointer crash in gog_moving_avg_update on a fuzzed gnumeric file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_13192_2829.gnumeric

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe54d2b55 in gog_moving_avg_update (obj=0x8b76c0) at gog-moving-avg.c:143
143			if (!go_finite (x_vals[i]) || !go_finite (y_vals[i])) {
(gdb) bt

+ Trace 232522

#0 gog_moving_avg_update
at gog-moving-avg.c line 143
#1 gog_object_update
at graph/gog-object.c line 1596
#2 gog_object_update
at graph/gog-object.c line 1589
#3 gog_object_update
at graph/gog-object.c line 1589
#4 gog_object_update
at graph/gog-object.c line 1589
#5 gog_object_update
at graph/gog-object.c line 1589
#6 cb_graph_idle
at graph/gog-graph.c line 848
#7 g_idle_dispatch
at gmain.c line 5250
#8 g_main_dispatch
at gmain.c line 3065
#9 g_main_context_dispatch
at gmain.c line 3641
#10 g_main_context_iterate
at gmain.c line 3712
#11 g_main_context_iteration
at gmain.c line 3773
#12 gtk_main_iteration_do
from /usr/lib/libgtk-3.so.0
#13 handle_paint_events
at main-application.c line 115
#14 main
at main-application.c line 346


==16597== Invalid read of size 8
==16597==    at 0x26BD8B55: gog_moving_avg_update (gog-moving-avg.c:143)
==16597==    by 0x587FD38: gog_object_update (gog-object.c:1596)
==16597==    by 0x587FC22: gog_object_update (gog-object.c:1589)
==16597==    by 0x587FC22: gog_object_update (gog-object.c:1589)
==16597==    by 0x587FC22: gog_object_update (gog-object.c:1589)
==16597==    by 0x587FC22: gog_object_update (gog-object.c:1589)
==16597==    by 0x5890253: cb_graph_idle (gog-graph.c:848)
==16597==    by 0x93875BE: g_idle_dispatch (gmain.c:5250)
==16597==    by 0x9384DC2: g_main_dispatch (gmain.c:3065)
==16597==    by 0x9385B19: g_main_context_dispatch (gmain.c:3641)
==16597==    by 0x9385D0B: g_main_context_iterate (gmain.c:3712)
==16597==    by 0x9385DCF: g_main_context_iteration (gmain.c:3773)
==16597==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Jean Bréfort 2013-09-23 07:07:08 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.