Bug 750046 – Segfault in pango_attr_list_ref on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750046 - Segfault in pango_attr_list_ref on a fuzzed xls file


Summary:	Segfault in pango_attr_list_ref on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-05-28 15:00 UTC by jutaky
Modified:	2015-06-01 15:03 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-05-28 15:00:11 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Another pango case it seems.

Test case: http://jutaky.com/fuzzing/gnumeric_case_pango_attr_list_ref.xls

$ ssconvert gnumeric_case_pango_attr_list_ref.xls /tmp/out.gnumeric

==31643==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe70000005d (pc 0x7fe7f03a9748 sp 0x7ffc1cbf5e48 bp 0x7ffc1cbf5e70 T0)
    #0 0x7fe7f03a9747 in pango_attr_list_ref (/usr/lib/libpango-1.0.so.0+0x15747)
    #1 0x7fe7d01ea5eb in ms_obj_attr_new_markup gnumeric/gnumeric/plugins/excel/ms-obj.c:141
    #2 0x7fe7d015fb73 in ms_escher_read_ClientTextbox gnumeric/gnumeric/plugins/excel/ms-escher.c:2023
    #3 0x7fe7d0160c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #4 0x7fe7d01620ac in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:555
    #5 0x7fe7d0160c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #6 0x7fe7d016204c in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1989
    #7 0x7fe7d0160c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #8 0x7fe7d0161fec in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1994
    #9 0x7fe7d0160c8b in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157
    #10 0x7fe7d01683ab in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2224
    #11 0x7fe7d0199cb5 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6776
    #12 0x7fe7d019e64d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7070
    #13 0x7fe7d01a1815 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7176
    #14 0x7fe7d01503e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193
    #15 0x7fe7d0150b33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273
    #16 0x7fe7f3ca2337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #17 0x7fe7f3caae48 in go_plugin_file_opener_open app/go-plugin-service.c:685
    #18 0x7fe7f3cb079c in go_file_opener_open app/file.c:417
    #19 0x7fe7f4a8d096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #20 0x7fe7f4a8d427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #21 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715
    #22 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903
    #23 0x7fe7ee0b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #24 0x4049c8 in _start (apps/bin/ssconvert+0x4049c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 pango_attr_list_ref

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-01 15:03:59 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.