Bug 760545 – Heap-buffer overread in ms-formula-read.c:1389 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 760545 - Heap-buffer overread in ms-formula-read.c:1389 on a fuzzed xls file


Summary:	Heap-buffer overread in ms-formula-read.c:1389 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-01-12 18:15 UTC by jutaky
Modified:	2016-01-14 13:03 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2016-01-12 18:15:20 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_016-ms-formula-read.c.1389.xls

$ ssconvert gnumeric_case_016-ms-formula-read.c.1389.xls /tmp/out.gnumeric

==6495==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000047cb6 at pc 0x7f081bd5980f bp 0x7ffcf00d9670 sp 0x7ffcf00d9668
READ of size 1 at 0x604000047cb6 thread T0
    #0 0x7f081bd5980e in excel_parse_formula1 gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1389:8
    #1 0x7f081bd4fb66 in excel_parse_formula1 gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1103:11
    #2 0x7f081bd4c193 in excel_parse_formula gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1911:21
    #3 0x7f081bcf88bf in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2980:10
    #4 0x7f081bcf88bf in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6711
    #5 0x7f081bcdfa4d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7143:4
    #6 0x7f081bcd6ea2 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7252:4
    #7 0x7f081bcaf982 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #8 0x7f0830c2cca2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #9 0x7f0830c35966 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #10 0x7f0830c39abc in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #11 0x7f083183f910 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #12 0x7f083183fc8f in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #13 0x4dd2d5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #14 0x4dc712 in main gnumeric/gnumeric/src/ssconvert.c:918:19
    #15 0x7f082b5df60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #16 0x41a6a8 in _start (apps/bin/ssconvert+0x41a6a8)

0x604000047cb6 is located 0 bytes to the right of 38-byte region [0x604000047c90,0x604000047cb6)
allocated by thread T0 here:
    #0 0x4b0658 in __interceptor_malloc (apps/bin/ssconvert+0x4b0658)
    #1 0x7f082bfec258 in g_malloc gnumeric/glib/glib/gmem.c:94

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1389:8 in excel_parse_formula1

--
Juha Kylmänen

Comment 1 Morten Welinder 2016-01-14 13:03:18 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.