GNOME Bugzilla – Bug 750862
Out-of-bounds read in xlsx-read.c:3876 on a fuzzed xlsx file
Last modified: 2015-06-15 17:24:01 UTC
Out-of-bounds read in xlsx-read.c:3876 on a fuzzed xlsx file Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_3283_2648.xlsx $ ssconvert gnumeric_case_3283_2648.xlsx /tmp/out.gnumeric ==30884==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f65a9e62008 bp 0x7ffd0f77fef0 sp 0x7ffd0f77fc00 T0) #0 0x7f65a9e62007 in xlsx_comment_start gnumeric/gnumeric/plugins/excel/xlsx-read.c:3876:8 #1 0x7f65cb92c555 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #2 0x7f65cb9453dd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #3 0x7f65cb940400 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #4 0x7f65ca908b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #5 0x7f65ca91471f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #6 0x7f65ca912bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #7 0x7f65ca917039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #8 0x7f65ca912bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #9 0x7f65ca917039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #10 0x7f65ca912bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #11 0x7f65ca917039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #12 0x7f65ca912bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #13 0x7f65ca917039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #14 0x7f65ca93b684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #15 0x7f65cb92cc63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #16 0x7f65a9e3ecd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13 #17 0x7f65a9e45eba in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:4002:4 #18 0x7f65cb941b81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3 #19 0x7f65ca90b856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9 #20 0x7f65ca917d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2 #21 0x7f65ca93b684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #22 0x7f65cb92cc63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #23 0x7f65a9e3ecd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13 #24 0x7f65a9e3d652 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5153:4 #25 0x7f65cc500c80 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #26 0x7f65cc514804 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #27 0x7f65cc522018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #28 0x7f65cdea8f2a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #29 0x7f65cdea9b20 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #30 0x4e0f21 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #31 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9 #32 0x7f65c693778f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #33 0x437b98 in _start (apps/bin/ssconvert+0x437b98) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/xlsx-read.c:3876 xlsx_comment_start -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.