GNOME Bugzilla – Bug 751384
Null pointer crash in ms-chart.c:3030 on a fuzzed xls file
Last modified: 2015-06-24 06:47:46 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_012-ms-chart.c.3030.xls $ ssconvert gnumeric_case_012-ms-chart.c.3030.xls /tmp/out.gnumeric ==1468==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd489ed3e67 bp 0x7ffd21e7ca50 sp 0x7ffd21e7ab20 T0) #0 0x7fd489ed3e66 in xl_chart_read_end gnumeric/gnumeric/plugins/excel/ms-chart.c:3030:22 #1 0x7fd489e5f336 in ms_excel_chart_read gnumeric/gnumeric/plugins/excel/ms-chart.c:3749:14 #2 0x7fd489e6d3ad in ms_excel_chart_read_BOF gnumeric/gnumeric/plugins/excel/ms-chart.c:3974:8 #3 0x7fd489e3ea44 in ms_read_OBJ gnumeric/gnumeric/plugins/excel/ms-obj.c:1323:7 #4 0x7fd489c5edff in ms_escher_read_ClientData gnumeric/gnumeric/plugins/excel/ms-escher.c:2058:6 #5 0x7fd489c4ca6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12 #6 0x7fd489c58ff3 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:560:9 #7 0x7fd489c4ca6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12 #8 0x7fd489c58653 in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1998:9 #9 0x7fd489c4ca6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12 #10 0x7fd489c58283 in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:2003:9 #11 0x7fd489c4ca6d in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2174:12 #12 0x7fd489c496a1 in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2241:2 #13 0x7fd489ce41cd in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6804:4 #14 0x7fd489c9852f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7098:4 #15 0x7fd489c936e5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7204:4 #16 0x7fd489c262d7 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #17 0x7fd489c27964 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #18 0x7fd4ae883e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #19 0x7fd4ae8979b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #20 0x7fd4ae8a51c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #21 0x7fd4b023073a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #22 0x7fd4b0231330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #23 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #24 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #25 0x7fd4a8cbc78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #26 0x437c58 in _start (apps/bin/ssconvert+0x437c58) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/ms-chart.c:3030 xl_chart_read_end -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.