After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 705677 - Segfault on converting a fuzzed xls file to a pdf
Segfault on converting a fuzzed xls file to a pdf
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-08-08 14:18 UTC by jutaky
Modified: 2013-08-09 10:06 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-08-08 14:18:27 UTC 
Segfault on converting a fuzzed xls file to a pdf.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_13143_23151.2pdf.xls

Backtrace from "ssconvert gnumeric_case_13143_23151.2pdf.xls out.pdf":

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5a51290 in gdk_cairo_set_source_pixbuf () from /usr/lib/libgdk-3.so.0
(gdb) bt

+ Trace 232359

  • #0 gdk_cairo_set_source_pixbuf
    from /usr/lib/libgdk-3.so.0
  • #1 go_image_draw_fb
    at utils/go-image.c line 439
  • #2 go_image_draw
    at utils/go-image.c line 522
  • #3 gnm_soi_draw_cairo
    at sheet-object-image.c line 498
  • #4 sheet_object_draw_cairo
    at sheet-object.c line 764
  • #5 gnm_print_sheet_objects
    at print.c line 244
  • #6 print_page_cells
    at print.c line 262
  • #7 print_page
    at print.c line 649
  • #8 gnm_draw_page_cb
    at print.c line 1431
  • #9 g_closure_invoke
    at gclosure.c line 777
  • #10 signal_emit_unlocked_R
    at gsignal.c line 3582
  • #11 g_signal_emit_valist
    at gsignal.c line 3326
  • #12 g_signal_emit
    at gsignal.c line 3382
  • #13 ??
    from /usr/lib/libgtk-3.so.0
  • #14 ??
    from /usr/lib/libgtk-3.so.0
  • #15 ??
    from /usr/lib/libgdk-3.so.0
  • #16 g_idle_dispatch
    at gmain.c line 5250
  • #17 g_main_dispatch
    at gmain.c line 3065
  • #18 g_main_context_dispatch
    at gmain.c line 3641
  • #19 g_main_context_iterate
    at gmain.c line 3712
  • #20 g_main_loop_run
    at gmain.c line 3906
  • #21 ??
    from /usr/lib/libgtk-3.so.0
  • #22 gtk_print_operation_run
    from /usr/lib/libgtk-3.so.0
  • #23 gnm_print_sheet
    at print.c line 1861
  • #24 pdf_write_workbook
    at print-info.c line 851
  • #25 pdf_export
    at print-info.c line 876
  • #26 go_file_saver_save_real
    at app/file.c line 577
  • #27 go_file_saver_save
    at app/file.c line 848
  • #28 wbv_save_to_output
    at workbook-view.c line 1055
  • #29 wb_view_save_to_uri
    at workbook-view.c line 1092
  • #30 wb_view_save_as
    at workbook-view.c line 1128
  • #31 convert
    at ssconvert.c line 788
  • #32 main
    at ssconvert.c line 860 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 jutaky 2013-08-08 16:27:48 UTC 
Here is a better backtrace from debug build of git GTK+

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff58fcddb in gdk_window_create_similar_image_surface (window=0x0, format=CAIRO_FORMAT_ARGB32, width=-1, height=-1, scale=1) at gdkwindow.c:9336
9336	  impl_class = GDK_WINDOW_IMPL_GET_CLASS (window->impl);
(gdb) bt

+ Trace 232360

  • #0 gdk_window_create_similar_image_surface
    at gdkwindow.c line 9336
  • #1 gdk_cairo_surface_create_from_pixbuf
    at gdkcairo.c line 210
  • #2 gdk_cairo_set_source_pixbuf
    at gdkcairo.c line 300
  • #3 go_image_draw_fb
    at utils/go-image.c line 439
  • #4 go_image_draw
    at utils/go-image.c line 522
  • #5 gnm_soi_draw_cairo
    at sheet-object-image.c line 498
  • #6 sheet_object_draw_cairo
    at sheet-object.c line 764
  • #7 gnm_print_sheet_objects
    at print.c line 244
  • #8 print_page_cells
    at print.c line 262
  • #9 print_page
    at print.c line 649
  • #10 gnm_draw_page_cb
    at print.c line 1431
  • #11 _gtk_marshal_VOID__OBJECT_INT
    at gtkmarshalers.c line 5172
  • #12 g_closure_invoke
    at gclosure.c line 777
  • #13 signal_emit_unlocked_R
    at gsignal.c line 3582
  • #14 g_signal_emit_valist
    at gsignal.c line 3326
  • #15 g_signal_emit
    at gsignal.c line 3382
  • #16 common_render_page
    at gtkprintoperation.c line 2684
  • #17 print_pages_idle
    at gtkprintoperation.c line 2893
  • #18 gdk_threads_dispatch
    at gdk.c line 804
  • #19 g_idle_dispatch
    at gmain.c line 5250
  • #20 g_main_dispatch
    at gmain.c line 3065
  • #21 g_main_context_dispatch
    at gmain.c line 3641
  • #22 g_main_context_iterate
    at gmain.c line 3712
  • #23 g_main_loop_run
    at gmain.c line 3906
  • #24 print_pages
    at gtkprintoperation.c line 3064
  • #25 gtk_print_operation_run
    at gtkprintoperation.c line 3238
  • #26 gnm_print_sheet
    at print.c line 1861
  • #27 pdf_write_workbook
    at print-info.c line 851
  • #28 pdf_export
    at print-info.c line 876
  • #29 go_file_saver_save_real
    at app/file.c line 577
  • #30 go_file_saver_save
    at app/file.c line 848
  • #31 wbv_save_to_output
    at workbook-view.c line 1055
  • #32 wb_view_save_to_uri
    at workbook-view.c line 1092
  • #33 wb_view_save_as
    at workbook-view.c line 1128
  • #34 convert
    at ssconvert.c line 788
  • #35 main
    at ssconvert.c line 860 






Comment 2


Jean Bréfort





          2013-08-09 10:06:48 UTC
        



This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.