Bug 751579 – Heap-buffer overread in dependent.c:977 on a fuzzed lotus file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751579 - Heap-buffer overread in dependent.c:977 on a fuzzed lotus file


Summary:	Heap-buffer overread in dependent.c:977 on a fuzzed lotus file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-27 08:32 UTC by jutaky
Modified:	2015-06-29 01:12 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-27 08:32:04 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-dependent.c.977.wk

$ ssconvert -I Gnumeric_lotus:lotus gnumeric_case_001-dependent.c.977.wk /tmp/out.gnumeric

==9877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000046cf8 at pc 0x7faac3880741 bp 0x7ffe8be361b0 sp 0x7ffe8be361a8
READ of size 8 at 0x615000046cf8 thread T0
    #0 0x7faac3880740 in link_range_dep gnumeric/gnumeric/src/dependent.c:977:7
    #1 0x7faac387f714 in link_unlink_range_dep gnumeric/gnumeric/src/dependent.c:1035:3
    #2 0x7faac3849d7e in link_unlink_cellrange_dep gnumeric/gnumeric/src/dependent.c:1076:3
    #3 0x7faac384b18f in link_unlink_expr_dep gnumeric/gnumeric/src/dependent.c:1102:11
    #4 0x7faac384a965 in link_unlink_expr_dep gnumeric/gnumeric/src/dependent.c:1090:10
    #5 0x7faac384475d in dependent_link gnumeric/gnumeric/src/dependent.c:1537:3
    #6 0x7faac36e7594 in gnm_cell_set_expr_and_value gnumeric/gnumeric/src/cell.c:194:3
    #7 0x7faaa09da0e7 in lotus_read_new gnumeric/gnumeric/plugins/lotus-123/lotus.c:2246:5
    #8 0x7faaa09ca382 in lotus_read gnumeric/gnumeric/plugins/lotus-123/lotus.c:2509:11
    #9 0x7faaa09c1bc7 in lotus_file_open gnumeric/gnumeric/plugins/lotus-123/boot.c:85:7
    #10 0x7faac2780e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #11 0x7faac27949b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #12 0x7faac27a21c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #13 0x7faac412d71a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #14 0x7faac412e310 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #15 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #16 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #17 0x7faabcbbb78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #18 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

0x615000046cf8 is located 8 bytes to the left of 512-byte region [0x615000046d00,0x615000046f00)
allocated by thread T0 here:
    #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b)
    #1 0x7faabd5c6391 in g_malloc0 gnumeric/glib/glib/gmem.c:127
    #2 0x7faac3dd0603 in gnm_sheet_constructed gnumeric/gnumeric/src/sheet.c:688:16
    #3 0x7faabdace5e6 in g_object_new_internal gnumeric/glib/gobject/gobject.c:1814

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/src/dependent.c:977 link_range_dep

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-29 01:12:17 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.