Bug 708091 – Out-of-bounds read on a fuzzed gnumeric2xls conversion

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 708091 - Out-of-bounds read on a fuzzed gnumeric2xls conversion


Summary:	Out-of-bounds read on a fuzzed gnumeric2xls conversion


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-09-14 21:59 UTC by jutaky
Modified:	2013-11-12 00:11 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-09-14 21:59:55 UTC

Out-of-bounds read on a fuzzed gnumeric2xls conversion.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_15327_142541.2xls.gnumeric

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3b6f444 in g_utf8_pointer_to_offset (
    str=0x7fcc20 "To view the combobox:\n--Choose View>Toolbars\n--Select the Control Toolbox\n--Click the Design Mode button\n\nIn Design mode, to change the combobox settings,\n--Select the combobox\n--Click the Properties "..., pos=0x8040a681 <Address 0x8040a681 out of bounds>) at gutf8.c:402
402		s = g_utf8_next_char (s);
(gdb) bt

+ Trace 232484

#0 g_utf8_pointer_to_offset
at gutf8.c line 402
#1 excel_write_ClientTextbox
at ms-excel-write.c line 4259
#2 excel_write_other_v8
at ms-excel-write.c line 4572
#3 excel_write_obj_v8
at ms-excel-write.c line 4756
#4 excel_write_objs_v8
at ms-excel-write.c line 5333
#5 excel_write_sheet
at ms-excel-write.c line 5421
#6 excel_write_workbook
at ms-excel-write.c line 6265
#7 excel_write_v8
at ms-excel-write.c line 6318
#8 excel_save
at boot.c line 281
#9 excel_biff8_file_save
at boot.c line 322
#10 go_plugin_loader_module_func_file_save
at app/go-plugin-loader-module.c line 366
#11 go_plugin_file_saver_save
at app/go-plugin-service.c line 948
#12 go_file_saver_save
at app/file.c line 848
#13 wbv_save_to_output
at workbook-view.c line 1055
#14 wb_view_save_to_uri
at workbook-view.c line 1092
#15 wb_view_save_as
at workbook-view.c line 1128
#16 convert
at ssconvert.c line 788
#17 main
at ssconvert.c line 860


==12390== Invalid read of size 1
==12390==    at 0x8E67444: g_utf8_pointer_to_offset (gutf8.c:402)
==12390==    by 0x187317F0: excel_write_ClientTextbox (ms-excel-write.c:4259)
==12390==    by 0x18732C64: excel_write_other_v8 (ms-excel-write.c:4572)
==12390==    by 0x18733AD2: excel_write_obj_v8 (ms-excel-write.c:4756)
==12390==    by 0x1873574C: excel_write_objs_v8 (ms-excel-write.c:5333)
==12390==    by 0x18735CB8: excel_write_sheet (ms-excel-write.c:5421)
==12390==    by 0x18738FFD: excel_write_workbook (ms-excel-write.c:6265)
==12390==    by 0x187392F6: excel_write_v8 (ms-excel-write.c:6318)
==12390==    by 0x1870607C: excel_save (boot.c:281)
==12390==    by 0x18706273: excel_biff8_file_save (boot.c:322)
==12390==    by 0x5455DF4: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:366)
==12390==    by 0x54582B3: go_plugin_file_saver_save (go-plugin-service.c:948)
==12390==  Address 0x184504ad is 0 bytes after a block of size 253 alloc'd

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-11-12 00:11:53 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.