GNOME Bugzilla – Bug 751660
Use-after-free in position.c:611 on a fuzzed xls file
Last modified: 2015-06-30 00:26:57 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_007-position.c.611.xls $ ssconvert gnumeric_case_007-position.c.611.xls /tmp/out.gnumeric ==11478==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300007ad44 at pc 0x7f33b5d7fd27 bp 0x7ffc35c23310 sp 0x7ffc35c23308 READ of size 4 at 0x60300007ad44 thread T0 #0 0x7f33b5d7fd26 in gnm_cellpos_equal gnumeric/gnumeric/src/position.c:611:10 #1 0x7f33af6de7c9 in g_hash_table_lookup_node gnumeric/glib/glib/ghash.c:396 #2 0x7f33af6de7c9 in g_hash_table_insert_internal gnumeric/glib/glib/ghash.c:1226 #3 0x7f339225d0c7 in excel_formula_shared gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2809:3 #4 0x7f339221c1d8 in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2968:11 #5 0x7f339220ca14 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6679:25 #6 0x7f33921c261f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7105:4 #7 0x7f33921bd7d5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7211:4 #8 0x7f3392150001 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #9 0x7f3392151a54 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #10 0x7f33b48afe30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #11 0x7f33b48c39b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #12 0x7f33b48d11c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #13 0x7f33b625be7a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #14 0x7f33b625ca70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #15 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #16 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #17 0x7f33aecea78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #18 0x437c58 in _start (apps/bin/ssconvert+0x437c58) 0x60300007ad44 is located 4 bytes inside of 32-byte region [0x60300007ad40,0x60300007ad60) freed by thread T0 here: #0 0x4be942 in __interceptor_free (apps/bin/ssconvert+0x4be942) #1 0x7f33af6de34a in g_hash_table_insert_node gnumeric/glib/glib/ghash.c:991 previously allocated by thread T0 here: #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b) #1 0x7f33af6f5391 in g_malloc0 gnumeric/glib/glib/gmem.c:127 #2 0x7f339221c1d8 in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2968:11 #3 0x7f339220ca14 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6679:25 #4 0x7f33921c261f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7105:4 #5 0x7f33921bd7d5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7211:4 #6 0x7f3392150001 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #7 0x7f3392151a54 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #8 0x7f33b48afe30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #9 0x7f33b48c39b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #10 0x7f33b48d11c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #11 0x7f33b625be7a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #12 0x7f33b625ca70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #13 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #14 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #15 0x7f33aecea78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-use-after-free gnumeric/gnumeric/src/position.c:611 gnm_cellpos_equal -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.