Bug 751925 – Out-of-bounds read in gog-object.c:2128 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751925 - Out-of-bounds read in gog-object.c:2128 on a fuzzed xls file


Summary:	Out-of-bounds read in gog-object.c:2128 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-03 20:03 UTC by jutaky
Modified:	2015-07-04 07:49 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-03 20:03:29 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_007-gog-object.c.2128.xls

$ ssconvert gnumeric_case_007-gog-object.c.2128.xls /tmp/out.gnumeric

==11674==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000c0 (pc 0x7f56ad36db06 bp 0x7fffdde7f4f0 sp 0x7fffdde7f380 T0)
    #0 0x7f56ad36db05 in gog_object_document_changed gnumeric/goffice/goffice/graph/gog-object.c:2128:6
    #1 0x7f56ad36dd51 in gog_object_document_changed gnumeric/goffice/goffice/graph/gog-object.c:2131:3
    #2 0x7f56ad36dd51 in gog_object_document_changed gnumeric/goffice/goffice/graph/gog-object.c:2131:3
    #3 0x7f56ad3cbc85 in gog_graph_set_property gnumeric/goffice/goffice/graph/gog-graph.c:188:4
    #4 0x7f56a8578517 in object_set_property gnumeric/glib/gobject/gobject.c:1415
    #5 0x7f56a8578517 in g_object_set_valist gnumeric/glib/gobject/gobject.c:2158
    #6 0x7f56a8578b9e in g_object_set gnumeric/glib/gobject/gobject.c:2268
    #7 0x7f56ae9dfcdb in sog_datas_set_sheet gnumeric/gnumeric/src/sheet-object-graph.c:139:2
    #8 0x7f56ae9e9186 in gnm_sog_set_sheet gnumeric/gnumeric/src/sheet-object-graph.c:522:3
    #9 0x7f56ae972350 in sheet_object_set_sheet gnumeric/gnumeric/src/sheet-object.c:577:6
    #10 0x7f5688809155 in ms_excel_chart_read gnumeric/gnumeric/plugins/excel/ms-chart.c:3970:3
    #11 0x7f568863eccd in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7110:4
    #12 0x7f5688639bc5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7211:4
    #13 0x7f56885cd221 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4
    #14 0x7f56885cec74 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #15 0x7f56ad226e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #16 0x7f56ad23a9b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #17 0x7f56ad2481c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #18 0x7f56aebc7874 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #19 0x7f56aebc8460 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #20 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #21 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #22 0x7f56a766378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #23 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/graph/gog-object.c:2128 gog_object_document_changed

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-07-04 07:49:36 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.