Bug 712708 – Wild pointer read (ABR) with fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 712708 - Wild pointer read (ABR) with fuzzed xls file


Summary:	Wild pointer read (ABR) with fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-11-19 19:05 UTC by jutaky
Modified:	2013-11-19 23:48 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-11-19 19:05:40 UTC

Heap-buffer overread in gsf_mem_dump_full on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_24204.xls

==7730== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060007f890 at pc 0x7ff2887c3ac7 bp 0x7fff5b0429e0 sp 0x7fff5b0429d8
READ of size 1 at 0x60060007f890 thread T0
    #0 0x7ff2887c3ac6 in gsf_mem_dump_full /libgsf/gsf/gsf-utils.c:254
    #1 0x7ff2887c3ee5 in gsf_mem_dump /libgsf/gsf/gsf-utils.c:284
    #2 0x7ff26768ad2e in excel_parse_formula1 /gnumeric/plugins/excel/ms-formula-read.c:1803 (discriminator 3)
    #3 0x7ff26768b37b in excel_parse_formula /gnumeric/plugins/excel/ms-formula-read.c:1844
    #4 0x7ff2675bf24c in ms_sheet_parse_expr_internal /gnumeric/plugins/excel/ms-excel-read.c:302
    #5 0x7ff267601309 in excel_read_CF /gnumeric/plugins/excel/ms-excel-read.c:5212
    #6 0x7ff2676038d9 in excel_read_CONDFMT /gnumeric/plugins/excel/ms-excel-read.c:5420
    #7 0x7ff26761832e in excel_read_sheet /gnumeric/plugins/excel/ms-excel-read.c:6736
    #8 0x7ff26761b6b0 in excel_read_BOF /gnumeric/plugins/excel/ms-excel-read.c:6994
    #9 0x7ff26761cd5e in excel_read_workbook /gnumeric/plugins/excel/ms-excel-read.c:7084
    #10 0x7ff267592bfc in excel_enc_file_open /gnumeric/plugins/excel/boot.c:193
    #11 0x7ff26759389a in excel_file_open /gnumeric/plugins/excel/boot.c:250
    #12 0x7ff28902400e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #13 0x7ff28902cf70 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #14 0x7ff2890398bf in go_file_opener_open /goffice/goffice/app/file.c:417
    #15 0x7ff28a18f684 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #16 0x7ff28a18fe73 in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #17 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #18 0x7ff284917bc4 in __libc_start_main ??:?
    #19 0x403de8 in _start ??:?
0x60060007f890 is located 0 bytes to the right of 32-byte region [0x60060007f870,0x60060007f890)

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-11-19 23:48:32 UTC

We were reading well before an allocated block.  Random crashes ensued.

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.