After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 702126 - libgoffice segfaults in gog_dataset_get_elem on a corrupted (fuzzed) xls file
libgoffice segfaults in gog_dataset_get_elem on a corrupted (fuzzed) xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-12 20:22 UTC by jutaky
Modified: 2013-06-16 18:51 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-12 20:22:50 UTC 
libgoffice segfaults in gog_dataset_get_elem on a corrupted (fuzzed) xls file.

Versions affected (at least): git 20130612 and 0.10.2

Test case: http://jutaky.com/fuzzing/gnumeric_case_11148_5850.xls

Backtrace: 

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff751dfa7 in gog_dataset_get_elem (set=0x0, dim_i=0) at graph/gog-data-set.c:152
152		GogDatasetClass *klass = GOG_DATASET_GET_CLASS (set);
(gdb) bt

+ Trace 232040

  • #0 gog_dataset_get_elem
    at graph/gog-data-set.c line 152
  • #1 gog_dataset_get_dim
    at graph/gog-data-set.c line 90
  • #2 xl_axis_swap_elem
    at ms-chart.c line 2455
  • #3 xl_chart_read_end
    at ms-chart.c line 3018
  • #4 ms_excel_chart_read
    at ms-chart.c line 3635
  • #5 ms_excel_chart_read_BOF
    at ms-chart.c line 3863
  • #6 ms_read_OBJ
    at ms-obj.c line 1308
  • #7 ms_escher_read_ClientData
    at ms-escher.c line 2044
  • #8 ms_escher_read_container
    at ms-escher.c line 2152
  • #9 ms_escher_read_SpContainer
    at ms-escher.c line 550
  • #10 ms_escher_read_container
    at ms-escher.c line 2152
  • #11 ms_escher_read_SpgrContainer
    at ms-escher.c line 1984
  • #12 ms_escher_read_container
    at ms-escher.c line 2152
  • #13 ms_escher_read_DgContainer
    at ms-escher.c line 1989
  • #14 ms_escher_read_container
    at ms-escher.c line 2152
  • #15 ms_escher_parse
    at ms-escher.c line 2219
  • #16 excel_read_sheet
    at ms-excel-read.c line 6689
  • #17 excel_read_BOF
    at ms-excel-read.c line 6981
  • #18 excel_read_workbook
    at ms-excel-read.c line 7071
  • #19 excel_enc_file_open
    at boot.c line 193
  • #20 excel_file_open
    at boot.c line 250
  • #21 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #22 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #23 go_file_opener_open
    at app/file.c line 417
  • #24 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #25 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #26 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Jean Bréfort 2013-06-13 09:15:47 UTC 
Fixing GOffice does not avoids a crash. The main issue is in the gnumeric excel plugin.
Comment 2 Jean Bréfort 2013-06-13 09:16:00 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.
Comment 3 jutaky 2013-06-16 18:51:14 UTC 
This issue has been assigned CVE-id CVE-2013-4606.