Bug 712772 – Heap-buffer-overflow in ms_escher_get_data on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 712772 - Heap-buffer-overflow in ms_escher_get_data on a fuzzed xls file


Summary:	Heap-buffer-overflow in ms_escher_get_data on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-11-20 21:55 UTC by jutaky
Modified:	2013-11-20 23:50 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-11-20 21:55:35 UTC

Heap-buffer-overflow in ms_escher_get_data on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_81071.xls

I requested a CVE identifier for this one: CVE-2013-6836.

==21670== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600400200465 at pc 0x7f137e5addc1 bp 0x7fff82df2a30 sp 0x7fff82df2a28
WRITE of size 1 at 0x600400200465 thread T0
    #0 0x7f137e5addc0 in ms_escher_get_data /gnumeric/plugins/excel/ms-escher.c:245
    #1 0x7f137e5b9c25 in ms_escher_read_container /gnumeric/plugins/excel/ms-escher.c:2075
    #2 0x7f137e5b88b1 in ms_escher_read_DgContainer /gnumeric/plugins/excel/ms-escher.c:1989
    #3 0x7f137e5bb058 in ms_escher_read_container /gnumeric/plugins/excel/ms-escher.c:2152
    #4 0x7f137e5bbd74 in ms_escher_parse /gnumeric/plugins/excel/ms-escher.c:2219
    #5 0x7f137e61bdd2 in excel_read_sheet /gnumeric/plugins/excel/ms-excel-read.c:6704
    #6 0x7f137e61f7f8 in excel_read_BOF /gnumeric/plugins/excel/ms-excel-read.c:6996
    #7 0x7f137e620ea6 in excel_read_workbook /gnumeric/plugins/excel/ms-excel-read.c:7086
    #8 0x7f137e596c2c in excel_enc_file_open /gnumeric/plugins/excel/boot.c:193
    #9 0x7f137e5978ca in excel_file_open /gnumeric/plugins/excel/boot.c:250
    #10 0x7f13a002800e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #11 0x7f13a0030f70 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #12 0x7f13a003d8bf in go_file_opener_open /goffice/goffice/app/file.c:417
    #13 0x7f13a1193684 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #14 0x7f13a1193e73 in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #15 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #16 0x7f139b91bbc4 in __libc_start_main ??:?
    #17 0x403de8 in _start ??:?
0x600400200465 is located 11 bytes to the left of 16-byte region [0x600400200470,0x600400200480)


--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-11-20 23:50:25 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.