Bug 750857 – Out-of-bounds read in openoffice-write.c on a fuzzed xls to ods conversion

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750857 - Out-of-bounds read in openoffice-write.c on a fuzzed xls to ods conversion


Summary:	Out-of-bounds read in openoffice-write.c on a fuzzed xls to ods conversion


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export OOo / OASIS
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Andreas J. Guelzow
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-12 14:39 UTC by jutaky
Modified:	2015-06-12 17:20 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-12 14:39:11 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_15172_4911.2ods.xls

$ ssconvert gnumeric_case_15172_4911.2ods.xls /tmp/out.ods

==1302==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f7e7134ca63 bp 0x7fffafba4ff0 sp 0x7fffafba4460 T0)
    #0 0x7f7e7134ca62 in odf_write_cell gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:3384:18
    #1 0x7f7e713485bc in odf_write_content_rows gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:3886:5
    #2 0x7f7e7133e34c in odf_write_sheet gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:3967:3
    #3 0x7f7e712ba9bb in odf_write_content gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:4969:3
    #4 0x7f7e712b6c9d in openoffice_file_save_real gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:8909:12
    #5 0x7f7e712b81b6 in odf_file_save gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:9014:2
    #6 0x7f7e95e732aa in go_plugin_loader_module_func_file_save gnumeric/goffice/goffice/app/go-plugin-loader-module.c:366:2
    #7 0x7f7e95e82b11 in go_plugin_file_saver_save gnumeric/goffice/goffice/app/go-plugin-service.c:948:2
    #8 0x7f7e95e9cb74 in go_file_saver_save gnumeric/goffice/goffice/app/file.c:848:2
    #9 0x7f7e97817053 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059:2
    #10 0x7f7e97817adf in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093:3
    #11 0x7f7e978192c3 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129:2
    #12 0x4e29ec in convert gnumeric/gnumeric/src/ssconvert.c:831:9
    #13 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9
    #14 0x7f7e902ab78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #15 0x437b98 in _start (apps/bin/ssconvert+0x437b98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/openoffice/openoffice-write.c:3384 odf_write_cell

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-12 17:20:48 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.