GNOME Bugzilla – Bug 750047
Heap-buffer overread in utils/go-format.c:1989 on a fuzzed xls file
Last modified: 2015-05-31 22:03:51 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_utils.go-format.c.1989.xls $ ssconvert gnumeric_case_utils.go-format.c.1989.xls /tmp/out.gnumeric ==876==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000058878 at pc 0x7fc294cad3e8 bp 0x7ffe87ee8340 sp 0x7ffe87ee8330 READ of size 4 at 0x611000058878 thread T0 #0 0x7fc294cad3e7 in go_format_parse_number_new_1 utils/go-format.c:1989 #1 0x7fc294cb2e15 in go_format_parse_number_fraction utils/go-format.c:2364 #2 0x7fc294cc7da0 in go_format_parse utils/go-format.c:2487 #3 0x7fc294cc7da0 in go_format_new_from_XL utils/go-format.c:6194 #4 0x7fc29565ae17 in gnm_format_import gnumeric/gnumeric/src/gnm-format.c:420 #5 0x7fc270f83a77 in excel_wb_get_fmt gnumeric/gnumeric/plugins/excel/ms-excel-read.c:266 #6 0x7fc270fb4b03 in excel_read_XF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2580 #7 0x7fc270fb4b03 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7193 #8 0x7fc270f613e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #9 0x7fc270f61b33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #10 0x7fc294ab3337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #11 0x7fc294abbe48 in go_plugin_file_opener_open app/go-plugin-service.c:685 #12 0x7fc294ac179c in go_file_opener_open app/file.c:417 #13 0x7fc29589e096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #14 0x7fc29589e427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #15 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715 #16 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903 #17 0x7fc28eec87ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #18 0x4049c8 in _start (apps/bin/ssconvert+0x4049c8) 0x611000058878 is located 8 bytes to the left of 256-byte region [0x611000058880,0x611000058980) allocated by thread T0 here: #0 0x7fc2962f5a86 in __interceptor_realloc (/usr/lib/libasan.so.1+0x57a86) #1 0x7fc28f4c3c5f in g_realloc gnumeric/glib/glib/gmem.c:162 #2 0x7fc28f48662c in g_array_maybe_expand gnumeric/glib/glib/garray.c:779 #3 0x7fc28f485e64 in g_array_set_size gnumeric/glib/glib/garray.c:555 #4 0x7fc294ca6fc5 in go_format_preparse utils/go-format.c:1324 #5 0x7fc294cc701c in go_format_parse utils/go-format.c:2450 #6 0x7fc294cc701c in go_format_new_from_XL utils/go-format.c:6194 #7 0x7fc29565ae17 in gnm_format_import gnumeric/gnumeric/src/gnm-format.c:420 #8 0x7fc270f83a77 in excel_wb_get_fmt gnumeric/gnumeric/plugins/excel/ms-excel-read.c:266 #9 0x7fc270fb4b03 in excel_read_XF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2580 #10 0x7fc270fb4b03 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7193 #11 0x7fc270f613e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #12 0x7fc270f61b33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #13 0x7fc294ab3337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #14 0x7fc294abbe48 in go_plugin_file_opener_open app/go-plugin-service.c:685 #15 0x7fc294ac179c in go_file_opener_open app/file.c:417 #16 0x7fc29589e096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #17 0x7fc29589e427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #18 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715 #19 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903 #20 0x7fc28eec87ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-buffer-overflow utils/go-format.c:1989 go_format_parse_number_new_1 -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.