Bug 751258 – Stack-overflow in ms-escher.c on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751258 - Stack-overflow in ms-escher.c on a fuzzed xls file


Summary:	Stack-overflow in ms-escher.c on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-20 12:06 UTC by jutaky
Modified:	2015-06-22 18:22 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-20 12:06:14 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_007-ms-escher.c.xls

$ ssconvert gnumeric_case_007-ms-escher.c.xls /tmp/out.gnumeric

==23781==ERROR: AddressSanitizer: stack-overflow on address 0x7fff7be41f96 (pc 0x7fde098a7e94 bp 0x7fff7be42350 sp 0x7fff7be41ca0 T0)
    #0 0x7fde098a7e93 in ms_escher_get_data gnumeric/gnumeric/plugins/excel/ms-escher.c:227:2
    #1 0x7fde0989cd8a in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2089:24
    #2 0x7fde098ab363 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #3 0x7fde0989edd6 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #4 0x7fde098ab363 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #5 0x7fde0989edd6 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #6 0x7fde098ab363 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #7 0x7fde0989edd6 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #8 0x7fde098ab363 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #9 0x7fde0989edd6 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #10 0x7fde098ab363 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #11 0x7fde0989edd6 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    <snip>
    #250 0x7fde098ab363 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #251 0x7fde0989edd6 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12

SUMMARY: AddressSanitizer: stack-overflow gnumeric/gnumeric/plugins/excel/ms-escher.c:227 ms_escher_get_data

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-22 18:22:05 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.