Bug 750042 – Null pointer crash in excel/ms-escher.c:372 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750042 - Null pointer crash in excel/ms-escher.c:372 on a fuzzed xls file


Summary:	Null pointer crash in excel/ms-escher.c:372 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-05-28 14:55 UTC by jutaky
Modified:	2015-05-30 12:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-05-28 14:55:53 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_ms-escher.c.372.xls

$ ssconvert gnumeric_case_ms-escher.c.372.xls /tmp/out.gnumeric

==23353==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f76c6258222 sp 0x7fff94ee4790 bp 0x7fff94ee48c0 T0)
    #0 0x7f76c6258221 in ms_escher_read_BSE gnumeric/gnumeric/plugins/excel/ms-escher.c:372
    #1 0x7f76c6256c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #2 0x7f76c62580ac in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:555
    #3 0x7f76c6256c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #4 0x7f76c625804c in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1989
    #5 0x7f76c6256c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #6 0x7f76c6257fec in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1994
    #7 0x7f76c6256c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #8 0x7f76c625e3ab in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2224
    #9 0x7f76c628fcb5 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6776
    #10 0x7f76c629464d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7070
    #11 0x7f76c6297815 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7176
    #12 0x7f76c62463e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193
    #13 0x7f76c6246b33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273
    #14 0x7f76e9d98337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #15 0x7f76e9da0e48 in go_plugin_file_opener_open app/go-plugin-service.c:685
    #16 0x7f76e9da679c in go_file_opener_open app/file.c:417
    #17 0x7f76eab83096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #18 0x7f76eab83427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #19 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715
    #20 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903
    #21 0x7f76e41ad7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #22 0x4049c8 in _start (apps/bin/ssconvert+0x4049c8)

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-05-30 12:51:57 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.