Bug 751502 – Null pointer crash in func.c:2226 on a fuzzed qpro file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751502 - Null pointer crash in func.c:2226 on a fuzzed qpro file


Summary:	Null pointer crash in func.c:2226 on a fuzzed qpro file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-25 14:10 UTC by jutaky
Modified:	2015-06-26 11:45 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-25 14:10:56 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-func.c.2226.qpro

$ ssconvert -I Gnumeric_QPro:qpro gnumeric_case_001-func.c.2226.qpro /tmp/out.gnumeric

==18560==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8889d99d8f bp 0x7fff284d7850 sp 0x7fff284d7460 T0)
    #0 0x7f8889d99d8e in function_iterate_do_value gnumeric/gnumeric/src/func.c:2226:10
    #1 0x7f8889d9a6cb in function_iterate_do_value gnumeric/gnumeric/src/func.c:2247:11
    #2 0x7f8889d996ad in function_iterate_argument_values gnumeric/gnumeric/src/func.c:2369:12
    #3 0x7f8889b9c8a2 in collect_floats gnumeric/gnumeric/src/collect.c:495:11
    #4 0x7f8889ba2164 in float_range_function gnumeric/gnumeric/src/collect.c:626:9
    #5 0x7f8864521e08 in gnumeric_min gnumeric/gnumeric/plugins/fn-stat/functions.c:881:9
    #6 0x7f8889d8fb22 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #7 0x7f8889d03a4d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #8 0x7f8889d2b584 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3121:8
    #9 0x7f8889cf2854 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #10 0x7f8889cf0d37 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #11 0x7f8889cb5d1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #12 0x7f8889ccea52 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #13 0x7f888a595a20 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #14 0x7f888a596330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #15 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #16 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #17 0x7f888302178f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #18 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/func.c:2226 function_iterate_do_value

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-26 11:45:06 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.