GNOME Bugzilla – Bug 751060
Null pointer crash in go-styled-object.c:129 on a fuzzed ods file
Last modified: 2015-06-17 06:09:02 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_7948_12371.ods $ ssconvert gnumeric_case_7948_12371.ods /tmp/out.gnumeric ==13772==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7eddf06d79 bp 0x7ffe33845930 sp 0x7ffe338457e0 T0) #0 0x7f7eddf06d78 in go_styled_object_get_style gnumeric/goffice/goffice/utils/go-styled-object.c:129:31 #1 0x7f7eb8eb8a7b in od_series_reg_equation gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9544:4 #2 0x7f7edcb72395 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #3 0x7f7edcb8b21d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #4 0x7f7edcb86240 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #5 0x7f7edbb4eb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #6 0x7f7edbb5a71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #7 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #8 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #9 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #10 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #11 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #12 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #13 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #14 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #15 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #16 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #17 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #18 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #19 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #20 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #21 0x7f7edbb81684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #22 0x7f7edcb72aa3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #23 0x7f7eb8eedb65 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8343:3 #24 0x7f7edcb72395 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #25 0x7f7edcb8b21d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #26 0x7f7edcb86240 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #27 0x7f7edbb4eb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #28 0x7f7edbb5a71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #29 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #30 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #31 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #32 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #33 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #34 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #35 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #36 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #37 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #38 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #39 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #40 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #41 0x7f7edbb58bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #42 0x7f7edbb5d039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #43 0x7f7edbb81684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #44 0x7f7edcb72aa3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #45 0x7f7eb8e69c70 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13950:24 #46 0x7f7edd744c80 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #47 0x7f7edd758804 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #48 0x7f7edd766018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #49 0x7f7edf0ecf2a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #50 0x7f7edf0edb20 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #51 0x4e0dc1 in convert gnumeric/gnumeric/src/ssconvert.c:719:9 #52 0x4dec1e in main gnumeric/gnumeric/src/ssconvert.c:910:9 #53 0x7f7ed7b7d78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #54 0x437ae8 in _start (apps/bin/ssconvert+0x437ae8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/utils/go-styled-object.c:129 go_styled_object_get_style -- Juha Kylmänen
This problem has been fixed in the unstable development version. The fix will be available in the next major software release. You may need to upgrade your Linux distribution to obtain that newer version.