Bug 760089 – Null pointer crash in ms-excel-read.c:1480 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 760089 - Null pointer crash in ms-excel-read.c:1480 on a fuzzed xls file


Summary:	Null pointer crash in ms-excel-read.c:1480 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-01-02 23:14 UTC by jutaky
Modified:	2016-01-02 23:41 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2016-01-02 23:14:17 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_004-ms-excel-read.c.1480.xls

$ ssconvert gnumeric_case_004-ms-excel-read.c.1480.xls /tmp/out.gnumeric

==8158==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe5a1e8c850 bp 0x7ffdf7802750 sp 0x7ffdf7802340 T0)
    #0 0x7fe5a1e8c84f in excel_read_BOUNDSHEET gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1480:24
    #1 0x7fe5a1e8c84f in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7238
    #2 0x7fe5a1e63722 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #3 0x7fe5c0e4eec2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #4 0x7fe5c0e57b86 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #5 0x7fe5c0e5bcdc in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #6 0x7fe5c1a5aa70 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #7 0x7fe5c1a5adef in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #8 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #9 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19
    #10 0x7fe5bbac060f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #11 0x41a688 in _start (apps/bin/ssconvert+0x41a688)

--
Juha Kylmänen

Comment 1 Morten Welinder 2016-01-02 23:41:30 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.