After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 751271 - Null pointer crash in ms-excel-read.c:5037 on a fuzzed xls file
Null pointer crash in ms-excel-read.c:5037 on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-06-21 07:02 UTC by jutaky
Modified: 2015-06-22 07:18 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
patch (513 bytes, patch)
2015-06-22 07:06 UTC, Jean Bréfort 		rejected Details | Review

Description jutaky 2015-06-21 07:02:09 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_009-ms-excel-read.c.5037.xls

$ ssconvert gnumeric_case_009-ms-excel-read.c.5037.xls /tmp/out.gnumeric

==28985==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe725582a08 bp 0x7fff5b3a54d0 sp 0x7fff5b3a50e0 T0)
    #0 0x7fe725582a07 in excel_read_PANE gnumeric/gnumeric/plugins/excel/ms-excel-read.c:5037:15
    #1 0x7fe725563b36 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6753:20
    #2 0x7fe72551891f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7097:4
    #3 0x7fe725513ad5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7203:4
    #4 0x7fe7254a6887 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #5 0x7fe7254a7f14 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #6 0x7fe74a101e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #7 0x7fe74a1159b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #8 0x7fe74a1231c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #9 0x7fe74baad73a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #10 0x7fe74baae330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #11 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #12 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #13 0x7fe74453a78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #14 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/ms-excel-read.c:5037 excel_read_PANE

--
Juha Kylmänen
Comment 1 Jean Bréfort 2015-06-22 07:06:15 UTC 
Created attachment 305805 [details] [review]
patch

We should need to test if q->data is not NULL (or better q->len large enough) in all places where we read data from an xls file, I suppose.
Comment 2 Jean Bréfort 2015-06-22 07:17:20 UTC 
Review of attachment 305805 [details] [review]:

We need to check the size as done elsewhere.
Comment 3 Jean Bréfort 2015-06-22 07:17:20 UTC 
Review of attachment 305805 [details] [review]:

We need to check the size as done elsewhere.
Comment 4 Jean Bréfort 2015-06-22 07:18:31 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.

There are still other places where q->length should be checked.