GNOME Bugzilla – Bug 720355
Heap-buffer overread in make_path_linear on a fuzzed .gnumeric file
Last modified: 2013-12-13 13:56:38 UTC
Heap-buffer overread in make_path_linear on a fuzzed .gnumeric file. Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_2339_145692.gnumeric ==3018== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600400486d18 at pc 0x7faf11b79241 bp 0x7fff325680c0 sp 0x7fff325680b8 READ of size 8 at 0x600400486d18 thread T0 #0 0x7faf11b79240 in make_path_linear /goffice/goffice/graph/gog-chart-map.c:249 #1 0x7faf11b81175 in polar_make_path /goffice/goffice/graph/gog-chart-map.c:771 #2 0x7faf11b8470a in gog_chart_map_make_path /goffice/goffice/graph/gog-chart-map.c:1141 #3 0x7faef081ccff in gog_rt_view_render /goffice/plugins/plot_radar/gog-radar.c:880 #4 0x7faf11b4d359 in gog_view_render /goffice/goffice/graph/gog-view.c:894 #5 0x7faf11b755f9 in gog_chart_view_render /goffice/goffice/graph/gog-chart.c:1483 #6 0x7faf11b4d359 in gog_view_render /goffice/goffice/graph/gog-view.c:894 #7 0x7faf11b5bb5e in gog_graph_view_render /goffice/goffice/graph/gog-graph.c:1029 #8 0x7faf11b4d23b in gog_view_render /goffice/goffice/graph/gog-view.c:889 #9 0x7faf11caba2f in gog_renderer_update /goffice/goffice/graph/gog-renderer.c:1414 #10 0x7faf11acb1a7 in goc_graph_update_bounds /goffice/goffice/canvas/goc-graph.c:222 [very long trace, skipping the rest] 0x600400486d18 is located 0 bytes to the right of 8-byte region [0x600400486d10,0x600400486d18) -- Juha Kylmänen Research Assistant, OUSPG
==4018== Invalid read of size 8 ==4018== at 0x5419587: make_path_linear (gog-chart-map.c:249) ==4018== by 0x5419C86: polar_make_path (gog-chart-map.c:771) ==4018== by 0x12F8A860: gog_rt_view_render (gog-radar.c:880) ==4018== by 0x5417094: gog_chart_view_render (gog-chart.c:1485) ==4018== by 0x5413C29: gog_graph_view_render (gog-graph.c:1029) ==4018== by 0x54114C1: gog_view_render (gog-view.c:889) ==4018== by 0x544D99B: gog_renderer_update (gog-renderer.c:1414) ==4018== by 0x53FD23C: _goc_item_update_bounds (goc-item.c:309) ==4018== by 0x53FD77F: goc_item_maybe_invalidate (goc-item.c:467) ==4018== by 0x60B6931: g_object_set_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3800.1) ==4018== by 0x53FDB89: goc_item_set (goc-item.c:376) ==4018== by 0x4F69B39: so_graph_view_set_bounds (sheet-object-graph.c:67) ==4018== Address 0xf85c458 is 0 bytes after a block of size 8 alloc'd ==4018== at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==4018== by 0x633DDD0: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3800.1) ==4018== by 0x4EFD235: gnm_go_data_vector_load_values (graph.c:690) ==4018== by 0x54071B7: go_data_vector_get_values (go-data.c:817) ==4018== by 0x12F8A79F: gog_rt_view_render (gog-radar.c:861) ==4018== by 0x5417094: gog_chart_view_render (gog-chart.c:1485) ==4018== by 0x5413C29: gog_graph_view_render (gog-graph.c:1029) ==4018== by 0x54114C1: gog_view_render (gog-view.c:889) ==4018== by 0x544D99B: gog_renderer_update (gog-renderer.c:1414) ==4018== by 0x53FD23C: _goc_item_update_bounds (goc-item.c:309) ==4018== by 0x53FD77F: goc_item_maybe_invalidate (goc-item.c:467) ==4018== by 0x60B6931: g_object_set_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3800.1)
The elements number in polar plots series are not correctly evaluated. This could occur with valid gnumeric files too (just build a polar plot with more values than angles). This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.