Bug 751383 – Null pointer crash in sheet-object-graph.c:967 on a fuzzed .gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751383 - Null pointer crash in sheet-object-graph.c:967 on a fuzzed .gnumeric file


Summary:	Null pointer crash in sheet-object-graph.c:967 on a fuzzed .gnumeric file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-23 14:29 UTC by jutaky
Modified:	2015-06-24 06:27 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-23 14:29:43 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-sheet-object-graph.c.967.randomly.gnumeric

I noticed that this case doesn't crash every time when having a regular debug build. Maybe once or twice per five executions. Odd?

$ ssconvert gnumeric_case_001-sheet-object-graph.c.967.randomly.gnumeric /tmp/out.gnumeric

==23406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd3b4706e15 bp 0x7ffd07289cf0 sp 0x7ffd07289908 T0)
    #0 0x7fd3b4706e14 in g_type_check_instance_is_fundamentally_a gnumeric/glib/gobject/gtype.c:4026
    #1 0x7fd3b46e76dd in g_object_ref gnumeric/glib/gobject/gobject.c:3040
    #2 0x7fd3bab714bd in dim_start gnumeric/gnumeric/src/sheet-object-graph.c:967:19
    #3 0x7fd3b87ca395 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #4 0x7fd3b87e321d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #5 0x7fd3b87de240 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #6 0x7fd3b77a6b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #7 0x7fd3b77b271f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #8 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #11 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #12 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #13 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #14 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #15 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #16 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #17 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #18 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #19 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #20 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #21 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #22 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #23 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #24 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #25 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #26 0x7fd3b77b0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #27 0x7fd3b77b5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #28 0x7fd3b77d9684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #29 0x7fd3b87caaa3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #30 0x7fd3bae42f3a in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3410:7
    #31 0x7fd3bae48ca0 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3539:7
    #32 0x7fd3b93d0e84 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #33 0x7fd3b93be1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #34 0x7fd3bad4973a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #35 0x7fd3bad4a330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #36 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #37 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #38 0x7fd3b37d578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #39 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/glib/gobject/gtype.c:4026 g_type_check_instance_is_fundamentally_a

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-06-24 06:27:02 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.