GNOME Bugzilla – Bug 760229
Segfault in gtype.c from ms-chart.c:2664 on a fuzzed xls file
Last modified: 2016-01-07 14:42:34 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_011-gtype.c.4060.xls $ ssconvert gnumeric_case_011-gtype.c.4060.xls /tmp/out.gnumeric ==28168==ERROR: AddressSanitizer: SEGV on unknown address 0x00000010a910 (pc 0x7f2409107260 bp 0x7ffe9e8dadd0 sp 0x7ffe9e8dabf0 T0) #0 0x7f240910725f in g_type_check_instance_cast gnumeric/glib/gobject/gtype.c:4060 #1 0x7f23ee64f209 in xl_chart_read_end gnumeric/gnumeric/plugins/excel/ms-chart.c:2664:19 #2 0x7f23ee62f80a in ms_excel_chart_read gnumeric/gnumeric/plugins/excel/ms-chart.c:3818:12 #3 0x7f23ee6344d8 in ms_excel_chart_read_BOF gnumeric/gnumeric/plugins/excel/ms-chart.c:4043:8 #4 0x7f23ee625350 in ms_read_OBJ gnumeric/gnumeric/plugins/excel/ms-obj.c:1333:7 #5 0x7f23ee579706 in ms_escher_read_ClientData gnumeric/gnumeric/plugins/excel/ms-escher.c:2063:6 #6 0x7f23ee571881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #7 0x7f23ee571881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #8 0x7f23ee571881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #9 0x7f23ee571881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #10 0x7f23ee570b5b in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2248:2 #11 0x7f23ee5a0201 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6833:4 #12 0x7f23ee5939cd in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7133:4 #13 0x7f23ee58ae22 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7242:4 #14 0x7f23ee563902 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #15 0x7f240d560ed2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #16 0x7f240d569b96 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #17 0x7f240d56dcec in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #18 0x7f240e16cf80 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #19 0x7f240e16d2ff in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #20 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #21 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19 #22 0x7f24081d260f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #23 0x41a688 in _start (apps/bin/ssconvert+0x41a688) -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.