Bug 750856 – Heap-buffer overread in ms-biff.c:726 on a fuzzed xlsx file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750856 - Heap-buffer overread in ms-biff.c:726 on a fuzzed xlsx file


Summary:	Heap-buffer overread in ms-biff.c:726 on a fuzzed xlsx file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-12 14:22 UTC by jutaky
Modified:	2015-06-16 12:41 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-12 14:22:05 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_24013_3831.biff7.2xls.xlsx

$ ssconvert --export-type=Gnumeric_Excel:excel_biff7 gnumeric_case_24013_3831.biff7.2xls.xlsx /tmp/out.xls

==29398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000459340 at pc 0x0000004a805c bp 0x7ffd56281df0 sp 0x7ffd562815a8
READ of size 17 at 0x602000459340 thread T0
    #0 0x4a805b in __asan_memcpy (apps/bin/ssconvert+0x4a805b)
    #1 0x7fe130165d93 in ms_biff_put_var_write gnumeric/gnumeric/plugins/excel/ms-biff.c:726:2
    #2 0x7fe13026c0dc in excel_write_string gnumeric/gnumeric/plugins/excel/ms-excel-write.c:447:2
    #3 0x7fe1302c37a2 in excel_write_HLINKs gnumeric/gnumeric/plugins/excel/ms-excel-write.c:1623:4
    #4 0x7fe1302b0829 in excel_write_sheet gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5707:2
    #5 0x7fe13027d591 in excel_write_workbook gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6529:3
    #6 0x7fe130276652 in excel_write_v7 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6560:3
    #7 0x7fe130156b42 in excel_save gnumeric/gnumeric/plugins/excel/boot.c:302:3
    #8 0x7fe13015796c in excel_biff7_file_save gnumeric/gnumeric/plugins/excel/boot.c:357:2
    #9 0x7fe1528ae2aa in go_plugin_loader_module_func_file_save gnumeric/goffice/goffice/app/go-plugin-loader-module.c:366:2
    #10 0x7fe1528bdb11 in go_plugin_file_saver_save gnumeric/goffice/goffice/app/go-plugin-service.c:948:2
    #11 0x7fe1528d7b74 in go_file_saver_save gnumeric/goffice/goffice/app/file.c:848:2
    #12 0x7fe154252053 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059:2
    #13 0x7fe154252adf in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093:3
    #14 0x7fe1542542c3 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129:2
    #15 0x4e29ec in convert gnumeric/gnumeric/src/ssconvert.c:831:9
    #16 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9
    #17 0x7fe14cce678f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #18 0x437b98 in _start (apps/bin/ssconvert+0x437b98)

0x602000459340 is located 0 bytes to the right of 16-byte region [0x602000459330,0x602000459340)
allocated by thread T0 here:
    #0 0x4beea5 in realloc (apps/bin/ssconvert+0x4beea5)
    #1 0x7fe14d6f13f8 in g_realloc gnumeric/glib/glib/gmem.c:162

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy


--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-16 12:41:28 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.