GNOME Bugzilla – Bug 760104
Wild memory access(?) in ms-formula-read.c:1469 on a fuzzed xls file
Last modified: 2016-01-07 14:00:14 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_008-ms-formula-read.c.1469.xls $ ssconvert gnumeric_case_008-ms-formula-read.c.1469.xls /tmp/out.gnumeric ==27219==ERROR: AddressSanitizer: unknown-crash on address 0x7f1a80077003 at pc 0x7f1a5fd5ac5b bp 0x7fffc422b890 sp 0x7fffc422b888 READ of size 1 at 0x7f1a80077003 thread T0 #0 0x7f1a5fd5ac5a in excel_parse_formula1 gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1469:17 #1 0x7f1a5fd4dbc3 in excel_parse_formula gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1910:21 #2 0x7f1a5fd0f090 in excel_parse_name gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3671:11 #3 0x7f1a5fce82c5 in excel_read_NAME gnumeric/gnumeric/plugins/excel/ms-excel-read.c:4016:11 #4 0x7f1a5fceddb4 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6837:22 #5 0x7f1a5fce180d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7119:4 #6 0x7f1a5fcd6650 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7210:3 #7 0x7f1a5fcb1d41 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #8 0x7f1a7eca8ed2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #9 0x7f1a7ecb1b96 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #10 0x7f1a7ecb5cec in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #11 0x7f1a7f8b4d00 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #12 0x7f1a7f8b507f in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #13 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #14 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19 #15 0x7f1a7991a60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #16 0x41a688 in _start (apps/bin/ssconvert+0x41a688) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: unknown-crash gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1469:17 in excel_parse_formula1 -- Juha Kylmänen
I cannot reproduce this one.
Nothing in Valgrind but AddressSanitizer still thinks there is an issue.
Created attachment 318392 [details] [review] Debug patch Please apply this patch and rerun. This will print some stuff. The location where is error is detected in relation to the debug lines would be interesting.
Created attachment 318407 [details] stderr with AddressSanitizer output l=3264 al=13321 and the last delta = 10910
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution. Note the commented-out change I committed to ms-biff.c; it will force a separate memory area for each "biff" record which will help with a certain class of access problems.