GNOME Bugzilla – Bug 707875
Segfault on a fuzzed .xls file
Last modified: 2013-09-13 14:08:26 UTC
Segfault on a fuzzed .xls file. Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_17766_49314.xls Program received signal SIGSEGV, Segmentation fault. 0x00007fffe61edc45 in excel_externsheet_v7 (container=0x7fffffffe080, idx=1) at ms-excel-read.c:6108 6108 g_return_val_if_fail (idx <= (int)externsheets->len, NULL); (gdb) bt
+ Trace 232466
-- Juha Kylmänen Research Assistant, OUSPG
While I don't see a crash, I do see this. And that's bad. ==21905== Conditional jump or move depends on uninitialised value(s) ==21905== at 0x152D86A0: excel_externsheet_v7 (ms-excel-read.c:6106) ==21905== by 0x152EF039: excel_parse_formula1 (ms-formula-read.c:1690) ==21905== by 0x152F061D: excel_parse_formula (ms-formula-read.c:1844) ==21905== by 0x152CFDCB: ms_sheet_parse_expr_internal (ms-excel-read.c:302) ==21905== by 0x152CFEB3: ms_wb_parse_expr (ms-excel-read.c:3223) ==21905== by 0x152F31C9: ms_obj_read_expr.isra.8 (ms-obj.c:519) ==21905== by 0x152F3636: read_pre_biff8_read_name_and_fmla (ms-obj.c:619) ==21905== by 0x152F471E: ms_read_OBJ (ms-obj.c:749) ==21905== by 0x152DEA05: excel_read_workbook (ms-excel-read.c:7183) ==21905== by 0x152C7DEE: excel_enc_file_open (boot.c:193) ==21905== by 0x53C6D72: go_plugin_file_opener_open (go-plugin-service.c:685) ==21905== by 0x4F9E03E: workbook_view_new_from_input (workbook-view.c:1277) ==21905== by 0x4F9E28C: workbook_view_new_from_uri (workbook-view.c:1337) ==21905== by 0x40392C: main (main-application.c:321)
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.