After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 749234 - Null pointer crashes on xls to xlsx/xls/ods conversions
Null pointer crashes on xls to xlsx/xls/ods conversions
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-05-11 17:16 UTC by jutaky
Modified: 2015-05-12 01:13 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-05-11 17:16:57 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_24025_15930.2xls2ods2xlsx.xls

$ ssconvert gnumeric_case_24025_15930.2xls2ods2xlsx.xls /tmp/out.xls

==30356==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f23e0179da1 sp 0x7ffcee2e94f0 bp 0x7ffcee2e9530 T0)
    #0 0x7f23e0179da0 in xls_write_pivot_cache_value gnumeric/gnumeric/plugins/excel/xls-write-pivot.c:109
    #1 0x7f23e017b605 in xls_write_cache_row gnumeric/gnumeric/plugins/excel/xls-write-pivot.c:252
    #2 0x7f23e017b8b4 in xls_write_pivot_cache gnumeric/gnumeric/plugins/excel/xls-write-pivot.c:286
    #3 0x7f23e017bc8a in xls_write_pivot_caches gnumeric/gnumeric/plugins/excel/xls-write-pivot.c:315
    #4 0x7f23e00fcb40 in excel_write_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6586
    #5 0x7f23e0057253 in excel_save gnumeric/gnumeric/plugins/excel/boot.c:304
    #6 0x7f23e00576fb in excel_biff8_file_save gnumeric/gnumeric/plugins/excel/boot.c:350
    #7 0x7f2404ec80f8 in go_plugin_loader_module_func_file_save app/go-plugin-loader-module.c:366
    #8 0x7f2404ecf50a in go_plugin_file_saver_save app/go-plugin-service.c:948
    #9 0x7f2404ed83ec in go_file_saver_save app/file.c:848
    #10 0x7f2405db1a21 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059
    #11 0x7f2405db1edb in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093
    #12 0x7f2405db244d in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129
    #13 0x408c24 in convert gnumeric/gnumeric/src/ssconvert.c:831
    #14 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #15 0x7f23fe4e37ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #16 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/xls-write-pivot.c:109 xls_write_pivot_cache_value

$ ssconvert gnumeric_case_24025_15930.2xls2ods2xlsx.xls /tmp/out.xlsx

==31178==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1a2f525a71 sp 0x7fff439e6700 bp 0x7fff439e6730 T0)
    #0 0x7f1a2f525a70 in xlsx_write_pivot_val gnumeric/gnumeric/plugins/excel/xlsx-write-pivot.c:40
    #1 0x7f1a2f5263e3 in xlsx_write_pivot_cache_records gnumeric/gnumeric/plugins/excel/xlsx-write-pivot.c:123
    #2 0x7f1a2f5276b1 in xlsx_write_pivot_cache_definition gnumeric/gnumeric/plugins/excel/xlsx-write-pivot.c:267
    #3 0x7f1a2f527f6e in xlsx_write_pivots gnumeric/gnumeric/plugins/excel/xlsx-write-pivot.c:329
    #4 0x7f1a2f52b2a6 in xlsx_write_workbook gnumeric/gnumeric/plugins/excel/xlsx-write.c:3108
    #5 0x7f1a2f52c805 in xlsx2_file_save gnumeric/gnumeric/plugins/excel/xlsx-write.c:3267
    #6 0x7f1a541f50f8 in go_plugin_loader_module_func_file_save app/go-plugin-loader-module.c:366
    #7 0x7f1a541fc50a in go_plugin_file_saver_save app/go-plugin-service.c:948
    #8 0x7f1a542053ec in go_file_saver_save app/file.c:848
    #9 0x7f1a550dea21 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059
    #10 0x7f1a550deedb in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093
    #11 0x7f1a550df44d in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129
    #12 0x408c24 in convert gnumeric/gnumeric/src/ssconvert.c:831
    #13 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #14 0x7f1a4d8107ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #15 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/xlsx-write-pivot.c:40 xlsx_write_pivot_val

$ ssconvert gnumeric_case_24025_15930.2xls2ods2xlsx.xls /tmp/out.ods

==32189==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fca6393eb79 sp 0x7fff09631c90 bp 0x7fff09631cb0 T0)
    #0 0x7fca6393eb78 in value_release gnumeric/gnumeric/src/value.c:563
    #1 0x7fca6358b725 in go_data_cache_finalize gnumeric/gnumeric/src/go-data-cache.c:114
    #2 0x7fca5cbb8382 in g_object_unref gnumeric/glib/gobject/gobject.c:3174
    #3 0x7fca63594561 in go_data_slicer_set_cache gnumeric/gnumeric/src/go-data-slicer.c:155
    #4 0x7fca635939be in go_data_slicer_finalize gnumeric/gnumeric/src/go-data-slicer.c:70
    #5 0x7fca63598e99 in gnm_sheet_slicer_finalize gnumeric/gnumeric/src/gnm-sheet-slicer.c:95
    #6 0x7fca5cbb8382 in g_object_unref gnumeric/glib/gobject/gobject.c:3174
    #7 0x7fca6359a9f7 in gnm_sheet_slicer_clear_sheet gnumeric/gnumeric/src/gnm-sheet-slicer.c:222
    #8 0x7fca5c6a8c7f in g_slist_foreach gnumeric/glib/glib/gslist.c:878
    #9 0x7fca5c6a83f0 in g_slist_free_full gnumeric/glib/glib/gslist.c:172
    #10 0x7fca63832d6f in sheet_destroy_contents gnumeric/gnumeric/src/sheet.c:4514
    #11 0x7fca6394b4c1 in workbook_dispose gnumeric/gnumeric/src/workbook.c:169
    #12 0x7fca5cbb8289 in g_object_unref gnumeric/glib/gobject/gobject.c:3137
    #13 0x408c6f in convert gnumeric/gnumeric/src/ssconvert.c:835
    #14 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #15 0x7fca5c0927ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #16 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/value.c:563 value_release

Many crashes, a single cause?

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-05-12 01:13:44 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.