After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 760230 - Crash (SIGABRT) from mathfunc.c on a fuzzed xls file
Crash (SIGABRT) from mathfunc.c on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2016-01-06 18:08 UTC by jutaky
Modified: 2016-01-07 00:35 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2016-01-06 18:08:00 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_012-mathfunc.c.xls

$ ssconvert gnumeric_case_012-mathfunc.c.xls /tmp/out.gnumeric

Program received signal SIGABRT, Aborted.
0x00007ffff16be5f8 in raise () from /usr/lib/libc.so.6
(gdb) bt

+ Trace 235876

  • #0 raise
    from /usr/lib/libc.so.6
  • #1 abort
    from /usr/lib/libc.so.6
  • #2 g_assertion_message
  • #3 g_assertion_message_expr
    at gtestutils.c line 2452
  • #4 ebd0
    at mathfunc.c line 263
  • #5 dbinom_raw
    at mathfunc.c line 2327
  • #6 dbeta
    at mathfunc.c line 2772
  • #7 pfuncinverter
    at sf-dpq.c line 156
  • #8 qbeta
    at mathfunc.c line 4863
  • #9 gnumeric_betainv
    at functions.c line 1360
  • #10 function_call_with_exprs
    at func.c line 2101
  • #11 gnm_expr_eval
    at expr.c line 1453
  • #12 gnm_expr_top_eval
  • #13 gnm_cell_eval_content
    at dependent.c line 1663
  • #14 cell_dep_eval
    at dependent.c line 1250
  • #15 dependent_eval
    at dependent.c line 1753
  • #16 workbook_recalc
    at dependent.c line 2867
  • #17 workbook_view_new_from_input
    at workbook-view.c line 1294
  • #18 workbook_view_new_from_uri
    at workbook-view.c line 1337
  • #19 convert
    at ssconvert.c line 715
  • #20 main
    at ssconvert.c line 918 

--
Juha Kylmänen
Comment 1 Morten Welinder 2016-01-07 00:18:00 UTC 
We're getting hit by this:
	/* FIXME: handle overflow/underflow in division below */
Comment 2 Morten Welinder 2016-01-07 00:35:27 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.