Bug 751056 – Stack overflow on a small fuzzed .gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751056 - Stack overflow on a small fuzzed .gnumeric file


Summary:	Stack overflow on a small fuzzed .gnumeric file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-16 16:04 UTC by jutaky
Modified:	2015-06-16 17:55 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-16 16:04:19 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_expr.c.2341.gnumeric

I have accustomed to get stack overflows on very large spreadsheets but this one is only 2.3KB. Maybe this is unrelated to the huge XML file stack overflows.

$ gnumeric gnumeric_case_expr.c.2341.gnumeric

ASAN:SIGSEGV
=================================================================
==17184==ERROR: AddressSanitizer: stack-overflow on address 0x7fffb7f76fd8 (pc 0x7fdf8e9ee528 bp 0x7fffb7f77070 sp 0x7fffb7f76f00 T0)
    #0 0x7fdf8e9ee527 in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2341
    #1 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9
    #2 0x7fdf8e9eeb6d in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2357:10
    #3 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9
    #4 0x7fdf8e9eeb6d in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2357:10
    #5 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9
    #6 0x7fdf8e9eeb6d in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2357:10
    #7 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9
    #8 0x7fdf8e9eeb6d in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2357:10
    #9 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9
    #10 0x7fdf8e9eeb6d in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2357:10
    #11 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9
    <snip>
    #250 0x7fdf8e9eeb6d in gnm_expr_get_range gnumeric/gnumeric/src/expr.c:2357:10
    #251 0x7fdf8e9eefce in gnm_expr_top_get_range gnumeric/gnumeric/src/expr.c:2936:9

SUMMARY: AddressSanitizer: stack-overflow gnumeric/gnumeric/src/expr.c:2341 gnm_expr_get_range

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-16 17:31:18 UTC

The stack trace would suggest a circular definition of a name or a sequence
of names.

Comment 2 Morten Welinder 2015-06-16 17:55:08 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.