GNOME Bugzilla – Bug 749235
Heap-buffer overread in ms-excel-util.c on a fuzzed xls file
Last modified: 2015-05-12 01:30:42 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_24050_123485.xls $ ssconvert gnumeric_case_24050_123485.xls /tmp/out.gnumeric ==14421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300007793a at pc 0x7f5488ef13db bp 0x7ffff64ca520 sp 0x7ffff64ca510 READ of size 1 at 0x60300007793a thread T0 #0 0x7f5488ef13da in xls_header_footer_import gnumeric/gnumeric/plugins/excel/ms-excel-util.c:767 #1 0x7f5488f334cc in excel_read_HEADER_FOOTER gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6417 #2 0x7f5488f36623 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6691 #3 0x7f5488f399ee in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7077 #4 0x7f5488f3ad06 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7183 #5 0x7f5488ed4648 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #6 0x7f5488ed4f27 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #7 0x7f54add453af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #8 0x7f54add4b4fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #9 0x7f54add53550 in go_file_opener_open app/file.c:417 #10 0x7f54aec314ff in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #11 0x7f54aec31999 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #12 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #13 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #14 0x7f54a73617ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #15 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8) 0x60300007793a is located 0 bytes to the right of 26-byte region [0x603000077920,0x60300007793a) allocated by thread T0 here: #0 0x7f54af71da86 in __interceptor_realloc (/usr/lib/libasan.so.1+0x57a86) #1 0x7f54a795cc5f in g_realloc gnumeric/glib/glib/gmem.c:162 #2 0x7f5488efa94d in excel_get_chars gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1034 #3 0x7f5488efaf46 in excel_get_text gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1082 #4 0x7f5488efb7c1 in excel_biff_text_2 gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1149 #5 0x7f5488f33342 in excel_read_HEADER_FOOTER gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6411 #6 0x7f5488f36623 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6691 #7 0x7f5488f399ee in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7077 #8 0x7f5488f3ad06 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7183 #9 0x7f5488ed4648 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #10 0x7f5488ed4f27 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #11 0x7f54add453af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #12 0x7f54add4b4fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #13 0x7f54add53550 in go_file_opener_open app/file.c:417 #14 0x7f54aec314ff in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #15 0x7f54aec31999 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #16 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #17 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #18 0x7f54a73617ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-excel-util.c:767 xls_header_footer_import -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.