After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 702205 - Gnumeric segfaults in type_check_is_value_type_U on a corrupted (fuzzed) ods file
Gnumeric segfaults in type_check_is_value_type_U on a corrupted (fuzzed) ods ...
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-13 20:59 UTC by jutaky
Modified: 2013-06-14 01:33 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-13 20:59:58 UTC 
I don't know if this should have belonged to the glib product, but here it goes anyway:

Gnumeric segfaults in type_check_is_value_type_U on a corrupted (fuzzed) ods file.

Git versions of glib, goffice and gnumeric.

Test case: http://jutaky.com/fuzzing/gnumeric_case_14469_55.ods

Backtrace: 

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff451fc41 in type_check_is_value_type_U (type=30064771080) at gtype.c:4107
4107	  if (node && node->mutatable_check_cache)
(gdb) bt

+ Trace 232051

  • #0 type_check_is_value_type_U
    at gtype.c line 4107
  • #1 g_type_check_value
    at gtype.c line 4149
  • #2 g_value_unset
    at gvalue.c line 269
  • #3 unset_gvalue
    at openoffice-read.c line 10101
  • #4 g_slist_foreach
    at gslist.c line 896
  • #5 openoffice_file_open
    at openoffice-read.c line 12085
  • #6 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #7 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #8 go_file_opener_open
    at app/file.c line 417
  • #9 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #10 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #11 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-06-14 01:33:53 UTC 
This was definitely our problem.

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.