Bug 751744 – Null pointer crash in gog-object.c:1362 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751744 - Null pointer crash in gog-object.c:1362 on a fuzzed xls file


Summary:	Null pointer crash in gog-object.c:1362 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-30 18:33 UTC by jutaky
Modified:	2015-07-03 09:18 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-30 18:33:39 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-gog-object.c.1362.xls

$ ssconvert gnumeric_case_001-gog-object.c.1362.xls /tmp/out.gnumeric

==1410==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4120a1abad bp 0x7ffec16ba9b0 sp 0x7ffec16ba800 T0)
    #0 0x7f4120a1abac in gog_role_cmp gnumeric/goffice/goffice/graph/gog-object.c:1362:41
    #1 0x7f4120a1929f in gog_role_cmp_full gnumeric/goffice/goffice/graph/gog-object.c:1379:12
    #2 0x7f4120a22278 in gog_object_set_parent gnumeric/goffice/goffice/graph/gog-object.c:1742:9
    #3 0x7f4120a10782 in gog_object_add_by_role gnumeric/goffice/goffice/graph/gog-object.c:1803:6
    #4 0x7f4120a24c66 in gog_object_add_by_name gnumeric/goffice/goffice/graph/gog-object.c:1824:9
    #5 0x7f40fbf30e30 in xl_chart_read_end gnumeric/gnumeric/plugins/excel/ms-chart.c:2700:5
    #6 0x7f40fbec6173 in ms_excel_chart_read gnumeric/gnumeric/plugins/excel/ms-chart.c:3769:14
    #7 0x7f40fbcffb1d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7110:4
    #8 0x7f40fbcf9c6c in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7193:3
    #9 0x7f40fbc8e071 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4
    #10 0x7f40fbc8fac4 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #11 0x7f41208e4e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #12 0x7f41208f89b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #13 0x7f41209061c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #14 0x7f41222856b4 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #15 0x7f41222862a0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #16 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #17 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #18 0x7f411ad2378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #19 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/graph/gog-object.c:1362 gog_role_cmp

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-07-03 09:18:25 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.