After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 760046 - Stack-overflow in expr-name.c:945 in a fuzzed xls file
Stack-overflow in expr-name.c:945 in a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2016-01-01 15:11 UTC by jutaky
Modified: 2016-01-02 00:29 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2016-01-01 15:11:50 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-expr-name.c.945.xls

$ ssconvert gnumeric_case_001-expr-name.c.945.xls /tmp/out.gnumeric

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7795ed3 in expr_name_eval (nexpr=<optimized out>, pos=0x7fffffffe408, flags=GNM_EXPR_EVAL_SCALAR_NON_EMPTY) at expr-name.c:945
945		return gnm_expr_top_eval (nexpr->texpr, pos, flags);
(gdb) bt

+ Trace 235862

  • #0 expr_name_eval
    at expr-name.c line 945
  • #1 gnm_expr_eval
    at expr.c line 1487
  • #2 gnm_expr_top_eval
    at expr.c line 3124
  • #3 expr_name_eval
    at expr-name.c line 945
  • #4 gnm_expr_eval
    at expr.c line 1487
  • #5 gnm_expr_top_eval
    at expr.c line 3124
  • #6 expr_name_eval
    at expr-name.c line 945
  • #7 gnm_expr_eval
    at expr.c line 1487
  • #8 gnm_expr_top_eval
    at expr.c line 3124
  • #9 expr_name_eval
    at expr-name.c line 945
  • #10 gnm_expr_eval
    at expr.c line 1487
  • #11 gnm_expr_top_eval
    at expr.c line 3124 


==12963== Stack overflow in thread #1: can't grow stack to 0xffe801000
==12963== 
==12963== Process terminating with default action of signal 11 (SIGSEGV)
==12963==  Access not within mapped region at address 0xFFE801FD8
==12963== Stack overflow in thread #1: can't grow stack to 0xffe801000
==12963==    at 0x4F28CAD: gnm_expr_top_eval (expr.c:3114)

--
Juha Kylmänen
Comment 1 Morten Welinder 2016-01-02 00:29:37 UTC 
Circular name.

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.