GNOME Bugzilla – Bug 760103
Use-after-free in sheet-filter.c:774 on a fuzzed xls file
Last modified: 2016-01-03 22:52:11 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_007-sheet-filter.c.774.xls $ ssconvert gnumeric_case_007-sheet-filter.c.774.xls /tmp/out.gnumeric ==26492==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000047e58 at pc 0x7fc61ccfa12e bp 0x7ffe1be02450 sp 0x7ffe1be02448 READ of size 8 at 0x604000047e58 thread T0 #0 0x7fc61ccfa12d in gnm_filter_remove gnumeric/gnumeric/src/sheet-filter.c:774:2 #1 0x7fc5fd1deeae in excel_sheet_destroy gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3200:3 #2 0x7fc5fd1deeae in gnm_xl_importer_free gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3496 #3 0x7fc5fd1deeae in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7391 #4 0x7fc5fd1b17a2 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #5 0x7fc61c1c2ed2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #6 0x7fc61c1cbb96 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #7 0x7fc61c1cfcec in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #8 0x7fc61cdced00 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #9 0x7fc61cdcf07f in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #10 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #11 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19 #12 0x7fc616e3460f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #13 0x41a688 in _start (apps/bin/ssconvert+0x41a688) -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.