Bug 751658 – GROWTH's second argument is optional, but using that causes a crash

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751658 - GROWTH's second argument is optional, but using that causes a crash


Summary:	GROWTH's second argument is optional, but using that causes a crash


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	Analytics
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-29 15:06 UTC by jutaky
Modified:	2015-06-29 17:29 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-29 15:06:46 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_005-collect.c.788.xls

$ ssconvert gnumeric_case_005-collect.c.788.xls /tmp/out.gnumeric

==4792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60a98f2102 bp 0x7ffd4eef5430 sp 0x7ffd4eef4e40 T0)
    #0 0x7f60a98f2101 in collect_float_pairs gnumeric/gnumeric/src/collect.c:788:6
    #1 0x7f6092a02c59 in gnumeric_growth gnumeric/gnumeric/plugins/fn-stat/functions.c:4299:8
    #2 0x7f60a9ae438c in function_call_with_exprs gnumeric/gnumeric/src/func.c:2101:9
    #3 0x7f60a9a51b3d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #4 0x7f60a9a79624 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3122:8
    #5 0x7f60a9a40944 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #6 0x7f60a9a3ee27 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #7 0x7f60a9a03e0d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #8 0x7f60a9a1cb42 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #9 0x7f60aa2e3160 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #10 0x7f60aa2e3a70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #11 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #12 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #13 0x7f60a2d7178f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #14 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/collect.c:788 collect_float_pairs

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-29 17:29:03 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.