After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 705385 - Segfault in excel_get_chars on a fuzzed xls file
Segfault in excel_get_chars on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-08-03 07:26 UTC by jutaky
Modified: 2013-08-03 08:16 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-08-03 07:26:18 UTC 
Segfault in excel_get_chars on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_24384_25330.xls

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe6cf0ccd in excel_get_chars (importer=0x7f1360, 
    ptr=0x7fffe6fccfa1 "It is important to remember this e-mail service is intended for Ordering purposes only. \006", length=88, use_utf16=0, 
    codepage=0x18) at ms-excel-read.c:1039
1039				str_iconv = gsf_msole_iconv_open_for_import (*codepage);
(gdb) bt

+ Trace 232331

  • #0 excel_get_chars
    at ms-excel-read.c line 1039
  • #1 excel_get_text
    at ms-excel-read.c line 1093
  • #2 excel_get_text_fixme
    at ms-excel-read.c line 1120
  • #3 excel_read_LABEL
    at ms-excel-read.c line 6261
  • #4 excel_read_sheet
    at ms-excel-read.c line 6693
  • #5 excel_read_BOF
    at ms-excel-read.c line 6995
  • #6 excel_read_workbook
    at ms-excel-read.c line 7085
  • #7 excel_enc_file_open
    at boot.c line 193
  • #8 excel_file_open
    at boot.c line 250
  • #9 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #10 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #11 go_file_opener_open
    at app/file.c line 417
  • #12 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #13 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #14 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG

ps. I think commit 89f0616db627157357c7b68478f88019dfc8f775 accidentally erased some news entries?
Comment 1 Andreas J. Guelzow 2013-08-03 08:16:59 UTC 
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.