Bug 751270 – Null pointer crash in ms-chart.c:2942 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751270 - Null pointer crash in ms-chart.c:2942 on a fuzzed xls file


Summary:	Null pointer crash in ms-chart.c:2942 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-21 06:54 UTC by jutaky
Modified:	2015-06-25 15:12 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-21 06:54:57 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_008-ms-chart.c.2942.xls

$ ssconvert gnumeric_case_008-ms-chart.c.2942.xls /tmp/out.gnumeric

==25525==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7efd01e75576 bp 0x7ffcda55e790 sp 0x7ffcda55c860 T0)
    #0 0x7efd01e75575 in xl_chart_read_end gnumeric/gnumeric/plugins/excel/ms-chart.c:2942:8
    #1 0x7efd01e015cf in ms_excel_chart_read gnumeric/gnumeric/plugins/excel/ms-chart.c:3642:14
    #2 0x7efd01e0f62d in ms_excel_chart_read_BOF gnumeric/gnumeric/plugins/excel/ms-chart.c:3867:8
    #3 0x7efd01de0d54 in ms_read_OBJ gnumeric/gnumeric/plugins/excel/ms-obj.c:1323:7
    #4 0x7efd01c011ef in ms_escher_read_ClientData gnumeric/gnumeric/plugins/excel/ms-escher.c:2058:6
    #5 0x7efd01beee56 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #6 0x7efd01bfb3e3 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #7 0x7efd01beee56 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #8 0x7efd01bfaa43 in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1998:9
    #9 0x7efd01beee56 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #10 0x7efd01bfa673 in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:2003:9
    #11 0x7efd01beee56 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2166:12
    #12 0x7efd01bebc51 in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2233:2
    #13 0x7efd01c865bd in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6803:4
    #14 0x7efd01c3a91f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7097:4
    #15 0x7efd01c35ad5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7203:4
    #16 0x7efd01bc8887 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #17 0x7efd01bc9f14 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #18 0x7efd26823e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #19 0x7efd268379b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #20 0x7efd268451c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #21 0x7efd281cf73a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #22 0x7efd281d0330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #23 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #24 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #25 0x7efd20c5c78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #26 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/ms-chart.c:2942 xl_chart_read_end

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-06-22 06:42:39 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.

Comment 2 jutaky 2015-06-25 14:22:32 UTC

I am still crashing with the test case on slightly different location now. Different bug or just changes to the file?

$ ssconvert gnumeric_case_008-ms-chart.c.2942.xls /tmp/out.gnumeric

==23429==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f279d450736 bp 0x7fffc82788b0 sp 0x7fffc8276960 T0)
    #0 0x7f279d450735 in xl_chart_read_end gnumeric/gnumeric/plugins/excel/ms-chart.c:3046:19
    #1 0x7f279d3db3ad in ms_excel_chart_read gnumeric/gnumeric/plugins/excel/ms-chart.c:3750:14
    #2 0x7f279d3e940d in ms_excel_chart_read_BOF gnumeric/gnumeric/plugins/excel/ms-chart.c:3975:8
    #3 0x7f279d3baa44 in ms_read_OBJ gnumeric/gnumeric/plugins/excel/ms-obj.c:1323:7
    #4 0x7f279d1dadff in ms_escher_read_ClientData gnumeric/gnumeric/plugins/excel/ms-escher.c:2058:6
    #5 0x7f279d1c8a6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12
    #6 0x7f279d1d4ff3 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9
    #7 0x7f279d1c8a6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12
    #8 0x7f279d1d4653 in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1998:9
    #9 0x7f279d1c8a6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12
    #10 0x7f279d1d4283 in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:2003:9
    #11 0x7f279d1c8a6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12
    #12 0x7f279d1c56a1 in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2241:2
    #13 0x7f279d2601cd in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6804:4
    #14 0x7f279d21452f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7098:4
    #15 0x7f279d20f6e5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7204:4
    #16 0x7f279d1a22d7 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #17 0x7f279d1a3964 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #18 0x7f27c1dffe30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #19 0x7f27c1e139b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #20 0x7f27c1e211c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #21 0x7f27c37ac73a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #22 0x7f27c37ad330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #23 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #24 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #25 0x7f27bc23878f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #26 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/ms-chart.c:3046 xl_chart_read_end

Comment 3 Jean Bréfort 2015-06-25 14:58:22 UTC

Please try again.

Comment 4 jutaky 2015-06-25 15:12:14 UTC

No longer crashes.