GNOME Bugzilla – Bug 712788
Use-after-free on exit on a fuzzed xlsx file
Last modified: 2013-11-21 14:47:04 UTC
Use-after-free on exit on a fuzzed xlsx file. Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_255694.xlsx ==21903== ERROR: AddressSanitizer: heap-use-after-free on address 0x60180069b140 at pc 0x7f4959c42f1c bp 0x7fff635bec30 sp 0x7fff635bec28 READ of size 8 at 0x60180069b140 thread T0 #0 0x7f4959c42f1b in gnm_func_get_name /gnumeric/src/func.c:1414 #1 0x7f4959e2a40a in std_expr_func_handler /gnumeric/src/parse-util.c:1250 #2 0x7f4959c07e46 in do_expr_as_string /gnumeric/src/expr.c:1740 #3 0x7f4959c09358 in gnm_expr_as_string /gnumeric/src/expr.c:1850 #4 0x7f4959c1b4c5 in cb_expression_pool_leak /gnumeric/src/expr.c:3428 #5 0x7f4955138734 in g_slist_foreach /glib/glib/gslist.c:896 #6 0x7f4959281184 in go_mem_chunk_foreach_leak /goffice/goffice/utils/go-glib-extras.c:723 #7 0x7f4959c1b600 in expr_shutdown /gnumeric/src/expr.c:3438 #8 0x7f4959d0ab55 in gnm_shutdown /gnumeric/src/libgnumeric.c:318 #9 0x40b40b in main /gnumeric/src/main-application.c:393 #10 0x7f4954817bc4 in __libc_start_main ??:? #11 0x403de8 in _start ??:? ASAN:SIGSEGV -- Juha Kylmänen Research Assistant, OUSPG
It's crashing in the leak detector on exit. An expression has been leaked in this case and we crash while trying to print it. We live with this because the leak detector is so useful. It's on exit so no data is in danger. The fix will be to not leak.
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.