GNOME Bugzilla – Bug 751059
Heap-buffer overread in gog-barcol.c:687 on a fuzzed xlsx to xls conversion
Last modified: 2015-06-19 13:17:22 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_7508_6386.2xls.xlsx $ ssconvert gnumeric_case_7508_6386.2xls.xlsx /tmp/out.xls ==18635==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000000 at pc 0x7fadbfe54536 bp 0x7ffece705b90 sp 0x7ffece705b88 READ of size 8 at 0x607000000000 thread T0 #0 0x7fadbfe54535 in gog_barcol_view_render gnumeric/goffice/plugins/plot_barcol/gog-barcol.c:687:10 #1 0x7fade22dca30 in gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:892:3 #2 0x7fade2324173 in plot_render gnumeric/goffice/goffice/graph/gog-chart.c:1536:4 #3 0x7fade231f710 in gog_chart_view_render gnumeric/goffice/goffice/graph/gog-chart.c:1577:5 #4 0x7fade22dcb78 in gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:897:3 #5 0x7fade230544b in gog_graph_view_render gnumeric/goffice/goffice/graph/gog-graph.c:1026:3 #6 0x7fade22dca30 in gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:892:3 #7 0x7fade2585609 in gog_renderer_update gnumeric/goffice/goffice/graph/gog-renderer.c:1429:3 #8 0x7fadbd755c9d in ms_excel_chart_write gnumeric/gnumeric/plugins/excel/ms-chart.c:5596:2 #9 0x7fadbd69949b in excel_write_chart_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:4355:2 #10 0x7fadbd693a88 in excel_write_obj_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5041:10 #11 0x7fadbd6737b9 in excel_write_objs_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5612:10 #12 0x7fadbd669366 in excel_write_sheet gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5700:3 #13 0x7fadbd636961 in excel_write_workbook gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6536:3 #14 0x7fadbd637399 in excel_write_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6589:3 #15 0x7fadbd50fd61 in excel_save gnumeric/gnumeric/plugins/excel/boot.c:304:3 #16 0x7fadbd5107bc in excel_biff8_file_save gnumeric/gnumeric/plugins/excel/boot.c:350:2 #17 0x7fade21662aa in go_plugin_loader_module_func_file_save gnumeric/goffice/goffice/app/go-plugin-loader-module.c:366:2 #18 0x7fade2175b11 in go_plugin_file_saver_save gnumeric/goffice/goffice/app/go-plugin-service.c:948:2 #19 0x7fade218fb74 in go_file_saver_save gnumeric/goffice/goffice/app/file.c:848:2 #20 0x7fade3b0a053 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059:2 #21 0x7fade3b0aadf in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093:3 #22 0x7fade3b0c2c3 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129:2 #23 0x4e288c in convert gnumeric/gnumeric/src/ssconvert.c:835:9 #24 0x4dec1e in main gnumeric/gnumeric/src/ssconvert.c:910:9 #25 0x7faddc5a078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #26 0x437ae8 in _start (apps/bin/ssconvert+0x437ae8) 0x607000000000 is located 32 bytes to the left of 76-byte region [0x607000000020,0x60700000006c) freed by thread T0 here: #0 0x4be7d2 in __interceptor_free (apps/bin/ssconvert+0x4be7d2) #1 0x7fade06319a0 in xmlFreeNodeList__internal_alias gnumeric/libxml2/tree.c:3692:3 #2 0x7fade063118e in xmlFreeNodeList__internal_alias gnumeric/libxml2/tree.c:3681:3 #3 0x7fade063118e in xmlFreeNodeList__internal_alias gnumeric/libxml2/tree.c:3681:3 #4 0x7fade063118e in xmlFreeNodeList__internal_alias gnumeric/libxml2/tree.c:3681:3 #5 0x7fade063118e in xmlFreeNodeList__internal_alias gnumeric/libxml2/tree.c:3681:3 #6 0x7fade063118e in xmlFreeNodeList__internal_alias gnumeric/libxml2/tree.c:3681:3 #7 0x7fade062fd1e in xmlFreeDoc__internal_alias gnumeric/libxml2/tree.c:1247:32 #8 0x7fade2151050 in go_plugin_read gnumeric/goffice/goffice/app/go-plugin.c:908:2 #9 0x7fade214dc8e in go_plugin_new_from_xml gnumeric/goffice/goffice/app/go-plugin.c:253:2 #10 0x7fade214c668 in go_plugin_read_for_dir gnumeric/goffice/goffice/app/go-plugin.c:1351:23 #11 0x7fade214b943 in go_plugin_list_read_for_subdirs_of_dir gnumeric/goffice/goffice/app/go-plugin.c:1410:12 #12 0x7fade214adb6 in go_plugin_list_read_for_subdirs_of_dir_list gnumeric/goffice/goffice/app/go-plugin.c:1445:26 #13 0x7fade21474ac in go_plugin_list_read_for_all_dirs gnumeric/goffice/goffice/app/go-plugin.c:1467:9 #14 0x7fade2147eb9 in go_plugins_init gnumeric/goffice/goffice/app/go-plugin.c:1832:23 #15 0x7fade39f5e8b in gnm_plugins_init gnumeric/gnumeric/src/gnm-plugin.c:993:2 #16 0x4de78e in main gnumeric/gnumeric/src/ssconvert.c:887:2 #17 0x7faddc5a078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) previously allocated by thread T0 here: #0 0x4bedf5 in realloc (apps/bin/ssconvert+0x4bedf5) #1 0x7fade0f49ade in xmlSAX2Characters__internal_alias gnumeric/libxml2/SAX2.c:2601:38 #2 0x7fade04fd745 in xmlParseCharDataComplex gnumeric/libxml2/parser.c:4686:7 #3 0x7fade04f86d3 in xmlParseCharData__internal_alias gnumeric/libxml2/parser.c:4607:5 #4 0x7fade057bce7 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10006:6 #5 0x7fade0580039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #6 0x7fade057bbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #7 0x7fade0580039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #8 0x7fade057bbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #9 0x7fade0580039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #10 0x7fade057bbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #11 0x7fade0580039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #12 0x7fade057bbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #13 0x7fade0580039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #14 0x7fade05a4684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #15 0x7fade05e8ea8 in xmlSAXParseMemoryWithData__internal_alias gnumeric/libxml2/parser.c:14554:5 #16 0x7fade05e96ae in xmlSAXParseMemory__internal_alias gnumeric/libxml2/parser.c:14586:12 #17 0x7fade05e991f in xmlParseMemory__internal_alias gnumeric/libxml2/parser.c:14600:11 #18 0x7fade28c0142 in go_xml_parse_file gnumeric/goffice/goffice/utils/go-libxml-extras.c:58:12 #19 0x7fade214eac0 in go_plugin_read gnumeric/goffice/goffice/app/go-plugin.c:779:8 #20 0x7fade214dc8e in go_plugin_new_from_xml gnumeric/goffice/goffice/app/go-plugin.c:253:2 #21 0x7fade214c668 in go_plugin_read_for_dir gnumeric/goffice/goffice/app/go-plugin.c:1351:23 #22 0x7fade214b943 in go_plugin_list_read_for_subdirs_of_dir gnumeric/goffice/goffice/app/go-plugin.c:1410:12 #23 0x7fade214adb6 in go_plugin_list_read_for_subdirs_of_dir_list gnumeric/goffice/goffice/app/go-plugin.c:1445:26 #24 0x7fade21474ac in go_plugin_list_read_for_all_dirs gnumeric/goffice/goffice/app/go-plugin.c:1467:9 #25 0x7fade2147eb9 in go_plugins_init gnumeric/goffice/goffice/app/go-plugin.c:1832:23 #26 0x7fade39f5e8b in gnm_plugins_init gnumeric/gnumeric/src/gnm-plugin.c:993:2 #27 0x4de78e in main gnumeric/gnumeric/src/ssconvert.c:887:2 #28 0x7faddc5a078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/goffice/plugins/plot_barcol/gog-barcol.c:687 gog_barcol_view_render -- Juha Kylmänen
I'm unable to reproduce this one (no valgrind error, at least).
Valgrind's opinion: ==7454== Invalid read of size 8 ==7454== at 0x1AB29367: gog_barcol_view_render (gog-barcol.c:687) ==7454== by 0x5476B55: gog_view_render (gog-view.c:892) ==7454== by 0x547E861: plot_render (gog-chart.c:1536) ==7454== by 0x547E2F8: gog_chart_view_render (gog-chart.c:1577) ==7454== by 0x547AAC8: gog_graph_view_render (gog-graph.c:1026) ==7454== by 0x5476B55: gog_view_render (gog-view.c:892) ==7454== by 0x54C2C9B: gog_renderer_update (gog-renderer.c:1429) ==7454== by 0x18BA7F3A: ms_excel_chart_write (ms-chart.c:5596) ==7454== by 0x18B940C0: excel_write_chart_v8 (ms-excel-write.c:4355) ==7454== by 0x18B940C0: excel_write_obj_v8 (ms-excel-write.c:5041) ==7454== by 0x18B940C0: excel_write_objs_v8 (ms-excel-write.c:5612) ==7454== by 0x18B940C0: excel_write_sheet (ms-excel-write.c:5700) ==7454== by 0x18B8F43E: excel_write_workbook (ms-excel-write.c:6536) ==7454== by 0x18B8F5B0: excel_write_v8 (ms-excel-write.c:6589) ==7454== by 0x18B71DBB: excel_save (boot.c:304) ==7454== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==7454== ==7454== ==7454== Process terminating with default action of signal 11 (SIGSEGV) ==7454== Access not within mapped region at address 0x0 ==7454== at 0x1AB29367: gog_barcol_view_render (gog-barcol.c:687) ==7454== by 0x5476B55: gog_view_render (gog-view.c:892) ==7454== by 0x547E861: plot_render (gog-chart.c:1536) ==7454== by 0x547E2F8: gog_chart_view_render (gog-chart.c:1577) ==7454== by 0x547AAC8: gog_graph_view_render (gog-graph.c:1026) ==7454== by 0x5476B55: gog_view_render (gog-view.c:892) ==7454== by 0x54C2C9B: gog_renderer_update (gog-renderer.c:1429) ==7454== by 0x18BA7F3A: ms_excel_chart_write (ms-chart.c:5596) ==7454== by 0x18B940C0: excel_write_chart_v8 (ms-excel-write.c:4355) ==7454== by 0x18B940C0: excel_write_obj_v8 (ms-excel-write.c:5041) ==7454== by 0x18B940C0: excel_write_objs_v8 (ms-excel-write.c:5612) ==7454== by 0x18B940C0: excel_write_sheet (ms-excel-write.c:5700) ==7454== by 0x18B8F43E: excel_write_workbook (ms-excel-write.c:6536) ==7454== by 0x18B8F5B0: excel_write_v8 (ms-excel-write.c:6589) ==7454== by 0x18B71DBB: excel_save (boot.c:304) ==7454== If you believe this happened as a result of a stack ==7454== overflow in your program's main thread (unlikely but ==7454== possible), you can try to increase the size of the ==7454== main thread stack using the --main-stacksize= flag. ==7454== The main thread stack size used in this run was 67108864. ==7454== ==7454== HEAP SUMMARY: ==7454== in use at exit: 9,147,535 bytes in 84,210 blocks ==7454== total heap usage: 296,781 allocs, 212,571 frees, 742,342,129 bytes allocated ==7454== ==7454== LEAK SUMMARY: ==7454== definitely lost: 5,904 bytes in 24 blocks ==7454== indirectly lost: 25,664 bytes in 1,063 blocks ==7454== possibly lost: 293,238 bytes in 251 blocks ==7454== still reachable: 8,736,921 bytes in 82,125 blocks ==7454== suppressed: 0 bytes in 0 blocks ==7454== Rerun with --leak-check=full to see details of leaked memory
Created attachment 305684 [details] [review] Tentative patch I'm unable to reproduce at least when things are compiled with gcc-4.9.2, so I'm blind there. We might have a wrong series number, please test this patch and tell me what happens.
With the given patch I am no longer crashing.
nice, I'll commit then, may be adding a warning. Some other plot types have the same behavior in this plugin and should be fixed too.
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.