Bug 749031 – Segfault (invalid write) in xlsx-read-color.c on a fuzzed xlsx file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 749031 - Segfault (invalid write) in xlsx-read-color.c on a fuzzed xlsx file


Summary:	Segfault (invalid write) in xlsx-read-color.c on a fuzzed xlsx file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-05-06 17:47 UTC by jutaky
Modified:	2015-05-07 01:59 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-05-06 17:47:24 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_10858_33027.xlsx

ssconvert gnumeric_case_10858_33027.xlsx /tmp/out.gnumeric

==21431==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b8 (pc 0x7faff0bc5eab sp 0x7ffc6d98eca0 bp 0x7ffc6d98ecb0 T0)
    #0 0x7faff0bc5eaa in color_set_helper gnumeric/gnumeric/plugins/excel/xlsx-read-color.c:216
    #1 0x7faff0bcc216 in xlsx_draw_color_themed gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:469
    #2 0x7fb014df8f36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #3 0x7fb014df927e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #4 0x7fb014dfa0dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #5 0x7fb0145ec01f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #6 0x7fb0145f8a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #7 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #8 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #9 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #10 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #11 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #12 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #13 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #14 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #15 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #16 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #17 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #18 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #19 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #20 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #21 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #22 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #23 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #24 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #25 0x7fb014601e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #26 0x7fb014dfd0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #27 0x7fb014e0f0c7 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432
    #28 0x7faff0bb6750 in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383
    #29 0x7faff0bdf21b in xlsx_read_chart gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:3061
    #30 0x7fb014df8f36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #31 0x7fb014df927e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #32 0x7fb014dfa0dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #33 0x7fb0145ec01f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #34 0x7fb0145f8a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #35 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #36 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #37 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #38 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #39 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #40 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #41 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #42 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #43 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #44 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #45 0x7fb014601e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #46 0x7fb014dfd0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #47 0x7fb014e0f0c7 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432
    #48 0x7faff0bb6750 in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383
    #49 0x7faff0be26bd in xlsx_sheet_drawing gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:3561
    #50 0x7fb014df8f36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #51 0x7fb014df927e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #52 0x7fb014dfa0dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #53 0x7fb0145ec01f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #54 0x7fb0145f8a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #55 0x7fb0145f7df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #56 0x7fb0145f9a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #57 0x7fb014601e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #58 0x7fb014dfd0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #59 0x7faff0bb6558 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358
    #60 0x7faff0bfeb3a in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3907
    #61 0x7fb014dfa7de in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863
    #62 0x7fb0145ecd7b in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747
    #63 0x7fb0145f9e6b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191
    #64 0x7fb014601e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #65 0x7fb014dfd0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #66 0x7faff0bb6558 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358
    #67 0x7faff0c0766d in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5043
    #68 0x7fb0158f23af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #69 0x7fb0158f84fa in go_plugin_file_opener_open app/go-plugin-service.c:685
    #70 0x7fb015900550 in go_file_opener_open app/file.c:417
    #71 0x7fb0167de29a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #72 0x7fb0167de734 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #73 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #74 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #75 0x7fb00ef187ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #76 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-05-07 01:59:13 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.