GNOME Bugzilla – Bug 750851
Segfault in go-data-cache.c:56(?) on a fuzzed xlsx file
Last modified: 2015-06-20 19:16:16 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_6414_299.xlsx $ ssconvert gnumeric_case_6414_299.xlsx /tmp/out.gnumeric ==17181==ERROR: AddressSanitizer: SEGV on unknown address 0x6291000d3fee (pc 0x7f7fb21f5d54 bp 0x7ffe45e138f0 sp 0x7ffe45e13088 T0) #0 0x7f7fb21f5d53 in __memset_sse2 (/usr/lib/libc.so.6+0x83d53) #1 0x4a85ae in __asan_memset (apps/bin/ssconvert+0x4a85ae) #2 0x7f7fb8c73feb in go_data_cache_records_set_size gnumeric/gnumeric/src/go-data-cache.c:56:3 #3 0x7f7fb8c73790 in go_data_cache_import_done gnumeric/gnumeric/src/go-data-cache.c:411:3 #4 0x7f7f957c914a in xlsx_CT_pivotCacheRecords_end gnumeric/gnumeric/plugins/excel/./xlsx-read-pivot.c:885:2 #5 0x7f7fb719cb81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3 #6 0x7f7fb6166856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9 #7 0x7f7fb6172d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2 #8 0x7f7fb6196684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #9 0x7f7fb7187c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #10 0x7f7fb71e172d in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432:8 #11 0x7f7f957b93da in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8 #12 0x7f7f957bae76 in xlsx_CT_pivotCacheDefinition_end gnumeric/gnumeric/plugins/excel/./xlsx-read-pivot.c:1002:3 #13 0x7f7fb719cb81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3 #14 0x7f7fb6166856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9 #15 0x7f7fb6172d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2 #16 0x7f7fb6196684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #17 0x7f7fb7187c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #18 0x7f7fb71e172d in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432:8 #19 0x7f7f957b93da in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8 #20 0x7f7f957b8cb2 in xlsx_CT_PivotCache gnumeric/gnumeric/plugins/excel/xlsx-read.c:3513:3 #21 0x7f7fb7187555 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #22 0x7f7fb71a03dd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #23 0x7f7fb719b400 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #24 0x7f7fb6163b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #25 0x7f7fb616f71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #26 0x7f7fb616dbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #27 0x7f7fb6172039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #28 0x7f7fb616dbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #29 0x7f7fb6172039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #30 0x7f7fb6196684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #31 0x7f7fb7187c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #32 0x7f7f957aacd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13 #33 0x7f7f957a9652 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5153:4 #34 0x7f7fb7d5bc80 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #35 0x7f7fb7d6f804 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #36 0x7f7fb7d7d018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #37 0x7f7fb9703f2a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #38 0x7f7fb9704b20 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #39 0x4e0f21 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #40 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9 #41 0x7f7fb219278f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #42 0x437b98 in _start (apps/bin/ssconvert+0x437b98) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 __memset_sse2 -- Juha Kylmänen
Created attachment 305453 [details] [review] Proposed patch No more crash with this patch, but a lot of criticals instead. Using g_realloc and friends crashes the program on failure. We might always use g_try_* instead to avoid a crash.
Ii think there are two issues we need to address: 1. where does the crazy size come from? 2. do we need to protect against integer overflow here?
1. We read a signed int and pass it as unsigned. Apparently the fuzzed file has a negative number there (we might of course test that). 2. Even if the number inside the file is positive, it might be large, and I suppose a failure is a better option than a crash.
Fixed three different ways: 1. Parse count unsigned. 2. Don't trust large counts. 3. Check for integer overflow in allocation. This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.