After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 703149 - Segfault on a corrupted (fuzzed) html file
Segfault on a corrupted (fuzzed) html file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export HTML
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-26 20:06 UTC by jutaky
Modified: 2013-06-27 20:12 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-26 20:06:02 UTC 
Segfault on a corrupted (fuzzed) html file. 

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_19438_343.html

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe6beda87 in html_read_content (cur=0x946590, buf=0xab4c00, mstyle=0xa4cad0, a_buf=0xab58d0, hrefs=0x7fffffffdca8, first=1, doc=0x611cf0, tc=0x7fffffffe3d0) at html_read.c:155
155					g_string_append_printf (buf, _("[see sheet %s]"), tc->sheet->name_quoted);
(gdb) bt

+ Trace 232152

  • #0 html_read_content
    at html_read.c line 155
  • #1 html_read_row
    at html_read.c line 217
  • #2 html_read_rows
    at html_read.c line 309
  • #3 html_read_table
    at html_read.c line 346
  • #4 html_read_content
    at html_read.c line 154
  • #5 html_read_content
    at html_read.c line 162
  • #6 html_read_content
    at html_read.c line 162
  • #7 html_read_row
    at html_read.c line 217
  • #8 html_read_rows
    at html_read.c line 309
  • #9 html_read_table
    at html_read.c line 346
  • #10 html_search_for_tables
    at html_read.c line 443
  • #11 html_search_for_tables
    at html_read.c line 474
  • #12 html_search_for_tables
    at html_read.c line 474
  • #13 html_search_for_tables
    at html_read.c line 474
  • #14 html_search_for_tables
    at html_read.c line 474
  • #15 html_search_for_tables
    at html_read.c line 474
  • #16 html_search_for_tables
    at html_read.c line 474
  • #17 html_file_open
    at html_read.c line 565
  • #18 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #19 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #20 go_file_opener_open
    at app/file.c line 417
  • #21 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #22 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #23 main
    at main-application.c line 321 


--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-06-27 20:12:54 UTC 
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.