Bug 719349 – Out-of-bounds read on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 719349 - Out-of-bounds read on a fuzzed xls file


Summary:	Out-of-bounds read on a fuzzed xls file


Status:	RESOLVED DUPLICATE of bug 720358

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-11-26 12:40 UTC by jutaky
Modified:	2013-12-21 19:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-11-26 12:40:30 UTC

Out-of-bounds read on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_99585.xls

==5573== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340003c23e at pc 0x7fad53156517 bp 0x7fff82599f60 sp 0x7fff82599720
READ of size 8352 at 0x60340003c23e thread T0
    #0 0x7fad53156516 in ?? ??:0
    #1 0x7fad4d54dc36 in g_array_append_vals /glib/glib/garray.c:425
    #2 0x7fad4d54f4dd in g_byte_array_append /glib/glib/garray.c:1669
    #3 0x7fad2fd04b05 in read_pre_biff8_read_text /gnumeric/plugins/excel/ms-obj.c:548
    #4 0x7fad2fd080b9 in ms_obj_read_pre_biff8_obj /gnumeric/plugins/excel/ms-obj.c:746
    #5 0x7fad2fd0dd8f in ms_read_OBJ /gnumeric/plugins/excel/ms-obj.c:1283 (discriminator 2)
    #6 0x7fad2fc7e1d1 in excel_read_sheet /gnumeric/plugins/excel/ms-excel-read.c:6660
    #7 0x7fad2fc82864 in excel_read_BOF /gnumeric/plugins/excel/ms-excel-read.c:6996
    #8 0x7fad2fc83f12 in excel_read_workbook /gnumeric/plugins/excel/ms-excel-read.c:7086
    #9 0x7fad2fbf9c2c in excel_enc_file_open /gnumeric/plugins/excel/boot.c:193
    #10 0x7fad2fbfa8ca in excel_file_open /gnumeric/plugins/excel/boot.c:250
    #11 0x7fad5139200e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #12 0x7fad5139af70 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #13 0x7fad513a78bf in go_file_opener_open /goffice/goffice/app/file.c:417
    #14 0x7fad524fd684 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #15 0x7fad524fde73 in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #16 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #17 0x7fad4cc85bc4 in __libc_start_main ??:?
    #18 0x403de8 in _start ??:?
0x60340003c23e is located 446 bytes to the right of 0-byte region [0x60340003c080,0x60340003c080)

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-12-21 19:51:38 UTC

Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 720358 ***