After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 706663 - Null pointer crash on converting a fuzzed xlsx file into pdf
Null pointer crash on converting a fuzzed xlsx file into pdf
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: Charting
git master
Other Linux
: Normal critical
: ---
Assigned To: Jean Bréfort
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-08-23 13:32 UTC by jutaky
Modified: 2013-08-23 18:02 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2013-08-23 13:32:48 UTC
Null pointer crash on converting a fuzzed xlsx file into pdf.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_19784_379760.2pdf.xlsx

"ssconvert gnumeric_case_19784_379760.2pdf.xlsx out.pdf":

==7734== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f858ee222de sp 0x7fff2fdc59d0 bp 0x7fff2fdc5f30 T0)
AddressSanitizer can not provide additional info.
  • #0 gog_line_view_render gnumeric/goffice/plugins/plot_barcol/gog-line.c:1090
  • #1 gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:894
  • #2 gog_chart_view_render gnumeric/goffice/goffice/graph/gog-chart.c:1482
  • #3 gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:894
  • #4 gog_graph_view_render gnumeric/goffice/goffice/graph/gog-graph.c:1029
  • #5 gog_view_render gnumeric/goffice/goffice/graph/gog-view.c:889
  • #6 gog_renderer_render_to_cairo gnumeric/goffice/goffice/graph/gog-renderer.c:1510
  • #7 gog_graph_render_to_cairo gnumeric/goffice/goffice/graph/gog-graph.c:1337
  • #8 gnm_sog_draw_cairo gnumeric/gnumeric/src/sheet-object-graph.c:454
  • #9 sheet_object_draw_cairo gnumeric/gnumeric/src/sheet-object.c:764
  • #10 gnm_print_sheet_objects gnumeric/gnumeric/src/print.c:244
  • #11 print_page_cells gnumeric/gnumeric/src/print.c:262
  • #12 print_page gnumeric/gnumeric/src/print.c:649
  • #13 gnm_draw_page_cb gnumeric/gnumeric/src/print.c:1431
  • #14 _gtk_marshal_VOID__OBJECT_INT file-roller/gtk+/gtk/gtkmarshalers.c:5172
  • #15 g_closure_invoke gnumeric/glib/gobject/gclosure.c:777
  • #16 signal_emit_unlocked_R gnumeric/glib/gobject/gsignal.c:3582
  • #17 g_signal_emit_valist gnumeric/glib/gobject/gsignal.c:3326
  • #18 g_signal_emit gnumeric/glib/gobject/gsignal.c:3382
  • #19 common_render_page file-roller/gtk+/gtk/gtkprintoperation.c:2684
  • #20 print_pages_idle file-roller/gtk+/gtk/gtkprintoperation.c:2893
  • #21 gdk_threads_dispatch file-roller/gtk+/gdk/gdk.c:804
  • #22 g_idle_dispatch gnumeric/glib/glib/gmain.c:5250
  • #23 g_main_dispatch gnumeric/glib/glib/gmain.c:3065
  • #24 g_main_context_dispatch gnumeric/glib/glib/gmain.c:3641
  • #25 g_main_context_iterate gnumeric/glib/glib/gmain.c:3712
  • #26 g_main_loop_run gnumeric/glib/glib/gmain.c:3906
  • #27 print_pages file-roller/gtk+/gtk/gtkprintoperation.c:3064
  • #28 gtk_print_operation_run file-roller/gtk+/gtk/gtkprintoperation.c:3238
  • #29 gnm_print_sheet gnumeric/gnumeric/src/print.c:1861
  • #30 pdf_write_workbook gnumeric/gnumeric/src/print-info.c:851
  • #31 pdf_export gnumeric/gnumeric/src/print-info.c:876
  • #32 go_file_saver_save_real gnumeric/goffice/goffice/app/file.c:577
  • #33 go_file_saver_save gnumeric/goffice/goffice/app/file.c:848
  • #34 wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1055
  • #35 wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1092
  • #36 wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1128
  • #37 convert gnumeric/gnumeric/src/ssconvert.c:788
  • #38 main gnumeric/gnumeric/src/ssconvert.c:860
  • #39 __libc_start_main ??:?
  • #40 _start ??:? ==7734== ABORTING

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-08-23 17:14:41 UTC
Opening the file in Gnumeric and changing to tab 'Line' yields:

Program received signal SIGSEGV, Segmentation fault.
0xaa9e5d4b in gog_line_view_render (view=0xaaa76290, bbox=0x0)
    at gog-line.c:1090
1090					points[i][j].x = x;
(gdb) bt
  • #0 gog_line_view_render
    at gog-line.c line 1090
  • #1 gog_view_render
    at graph/gog-view.c line 894
  • #2 gog_chart_view_render
    at graph/gog-chart.c line 1482
  • #3 gog_view_render
    at graph/gog-view.c line 894
  • #4 gog_graph_view_render
    at graph/gog-graph.c line 1029
  • #5 gog_view_render
    at graph/gog-view.c line 889
  • #6 gog_renderer_update
    at graph/gog-renderer.c line 1404
  • #7 goc_graph_update_bounds
    at canvas/goc-graph.c line 222
  • #8 _goc_item_update_bounds
    at canvas/goc-item.c line 309
  • #9 goc_item_maybe_invalidate
    at canvas/goc-item.c line 467
  • #10 goc_item_invalidate
    at canvas/goc-item.c line 487
  • #11 goc_item_bounds_changed
    at canvas/goc-item.c line 588
  • #12 goc_graph_set_property
    at canvas/goc-graph.c line 111
  • #13 g_object_set_valist
    from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
  • #14 goc_item_set
    at canvas/goc-item.c line 376
  • #15 so_graph_view_set_bounds
    at sheet-object-graph.c line 67
  • #16 sheet_object_view_set_bounds
    at sheet-object.c line 1289
  • #17 cb_bounds_changed
    at gnm-pane.c line 3114
  • #18 g_cclosure_marshal_VOID__VOID
    from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
  • #19 g_closure_invoke
    from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
  • #20 ??
    from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
  • #21 g_signal_emit_valist
    from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
  • #22 g_signal_emit
    from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0

While this is clearly a problem created by importing a chart from xlsx we are crashing in the charting code.
Comment 2 Jean Bréfort 2013-08-23 18:02:50 UTC
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.