Bug 750043 – Heap-buffer overread in excel/ms-excel-read.c:485 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750043 - Heap-buffer overread in excel/ms-excel-read.c:485 on a fuzzed xls file


Summary:	Heap-buffer overread in excel/ms-excel-read.c:485 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-05-28 14:56 UTC by jutaky
Modified:	2015-06-01 12:32 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Proposed patch (514 bytes, patch) 2015-05-30 14:17 UTC, Jean Bréfort	none	Details \| Review

Description jutaky 2015-05-28 14:56:52 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_ms-excel-read.c.485.xls

$ ssconvert gnumeric_case_ms-excel-read.c.485.xls /tmp/out.gnumeric

==25347==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b0702 at pc 0x7f5388fb23fe bp 0x7fffa1c0a3a0 sp 0x7fffa1c0a390
READ of size 1 at 0x6020001b0702 thread T0
    #0 0x7f5388fb23fd in excel_fill_bmp_header gnumeric/gnumeric/plugins/excel/ms-excel-read.c:485
    #1 0x7f5388fb23fd in excel_read_os2bmp gnumeric/gnumeric/plugins/excel/ms-excel-read.c:4412
    #2 0x7f5388fb23fd in excel_read_IMDATA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:4449
    #3 0x7f5388fbfb2e in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6741
    #4 0x7f5388fc564d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7070
    #5 0x7f5388fc8815 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7176
    #6 0x7f5388f773e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193
    #7 0x7f5388f77b33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273
    #8 0x7f53acac9337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #9 0x7f53acad1e48 in go_plugin_file_opener_open app/go-plugin-service.c:685
    #10 0x7f53acad779c in go_file_opener_open app/file.c:417
    #11 0x7f53ad8b4096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #12 0x7f53ad8b4427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #13 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715
    #14 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903
    #15 0x7f53a6ede7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #16 0x4049c8 in _start (apps/bin/ssconvert+0x4049c8)

0x6020001b0702 is located 6 bytes to the right of 12-byte region [0x6020001b06f0,0x6020001b06fc)
allocated by thread T0 here:
    #0 0x7f53ae30b7a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7f53a74d9b7f in g_malloc gnumeric/glib/glib/gmem.c:97
    #2 0x7f5388f7c44b in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:486
    #3 0x7f5388fbf5aa in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6603
    #4 0x7f5388fc564d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7070
    #5 0x7f5388fc8815 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7176
    #6 0x7f5388f773e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193
    #7 0x7f5388f77b33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273
    #8 0x7f53acac9337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #9 0x7f53acad1e48 in go_plugin_file_opener_open app/go-plugin-service.c:685
    #10 0x7f53acad779c in go_file_opener_open app/file.c:417
    #11 0x7f53ad8b4096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #12 0x7f53ad8b4427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #13 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715
    #14 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903
    #15 0x7f53a6ede7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-excel-read.c:485 excel_fill_bmp_header

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-05-30 14:17:14 UTC

Created attachment 304309 [details] [review]
Proposed patch

Please review.

Comment 2 Morten Welinder 2015-06-01 12:32:53 UTC

There were a few more things that needed fixing here.

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.