Bug 751250 – Segfault in gog-grid-line.c:621 on saving a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751250 - Segfault in gog-grid-line.c:621 on saving a fuzzed xls file


Summary:	Segfault in gog-grid-line.c:621 on saving a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-20 09:56 UTC by jutaky
Modified:	2015-06-21 00:23 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-20 09:56:19 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-gog-grid-line.c.621.xls

$ ssconvert gnumeric_case_002-gog-grid-line.c.621.xls /tmp/out.xls

==25406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fa253bba04d bp 0x7fffb3728f70 sp 0x7fffb3728480 T0)
    #0 0x7fa253bba04c in gog_grid_line_radial_render gnumeric/goffice/goffice/graph/gog-grid-line.c:621:23
    #1 0x7fa253ba87e7 in gog_grid_line_view_render gnumeric/goffice/goffice/graph/gog-grid-line.c:884:6
    #2 0x7fa253ba8c98 in gog_grid_line_view_render_lines gnumeric/goffice/goffice/graph/gog-grid-line.c:913:2
    #3 0x7fa253a50385 in grid_line_render gnumeric/goffice/goffice/graph/gog-chart.c:1518:3
    #4 0x7fa253a4c574 in gog_chart_view_render gnumeric/goffice/goffice/graph/gog-chart.c:1576:5
    #5 0x7fa253a09a58 in gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:897:3
    #6 0x7fa253a3232b in gog_graph_view_render gnumeric/goffice/goffice/graph/gog-graph.c:1026:3
    #7 0x7fa253a09910 in gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:892:3
    #8 0x7fa253cb2649 in gog_renderer_update gnumeric/goffice/goffice/graph/gog-renderer.c:1429:3
    #9 0x7fa22ee7fc9d in ms_excel_chart_write gnumeric/gnumeric/plugins/excel/ms-chart.c:5596:2
    #10 0x7fa22edc349b in excel_write_chart_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:4355:2
    #11 0x7fa22edbda88 in excel_write_obj_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5041:10
    #12 0x7fa22ed9d7b9 in excel_write_objs_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5612:10
    #13 0x7fa22ed93366 in excel_write_sheet gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5700:3
    #14 0x7fa22ed60961 in excel_write_workbook gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6536:3
    #15 0x7fa22ed61399 in excel_write_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6589:3
    #16 0x7fa22ec39d61 in excel_save gnumeric/gnumeric/plugins/excel/boot.c:304:3
    #17 0x7fa22ec3a7bc in excel_biff8_file_save gnumeric/gnumeric/plugins/excel/boot.c:350:2
    #18 0x7fa25389045a in go_plugin_loader_module_func_file_save gnumeric/goffice/goffice/app/go-plugin-loader-module.c:366:2
    #19 0x7fa25389fcc1 in go_plugin_file_saver_save gnumeric/goffice/goffice/app/go-plugin-service.c:948:2
    #20 0x7fa2538b9d24 in go_file_saver_save gnumeric/goffice/goffice/app/file.c:848:2
    #21 0x7fa255237473 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059:2
    #22 0x7fa255237eff in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093:3
    #23 0x7fa2552396e3 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129:2
    #24 0x4e2afc in convert gnumeric/gnumeric/src/ssconvert.c:837:9
    #25 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #26 0x7fa24dcca78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #27 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/graph/gog-grid-line.c:621 gog_grid_line_radial_render

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-21 00:23:14 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.