GNOME Bugzilla – Bug 749167
Global buffer overread in go-format.c on a fuzzed .gnumeric file
Last modified: 2015-05-09 20:08:58 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_2278_87380.gnumeric $ ssconvert gnumeric_case_2278_87380.gnumeric /tmp/out.gnumeric ==857==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f91d20c4610 at pc 0x7f91d1f2f780 bp 0x7ffd19969650 sp 0x7ffd19969640 READ of size 4 at 0x7f91d20c4610 thread T0 #0 0x7f91d1f2f77f in go_format_parse utils/go-format.c:2562 #1 0x7f91d1f43531 in go_format_new_from_XL utils/go-format.c:6194 #2 0x7f91d29027ee in gnm_format_import gnumeric/gnumeric/src/gnm-format.c:420 #3 0x7f91d2c40a68 in make_format gnumeric/gnumeric/src/xml-sax-read.c:121 #4 0x7f91d2c4ea7d in xml_sax_style_start gnumeric/gnumeric/src/xml-sax-read.c:1497 #5 0x7f91d120af36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658 #6 0x7f91d120b27e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694 #7 0x7f91d120c0dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786 #8 0x7f91d09fe01f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676 #9 0x7f91d0a0aa8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080 #10 0x7f91d0a09df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990 #11 0x7f91d0a0ba24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163 #12 0x7f91d0a09df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990 #13 0x7f91d0a0ba24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163 #14 0x7f91d0a09df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990 #15 0x7f91d0a0ba24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163 #16 0x7f91d0a09df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990 #17 0x7f91d0a0ba24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163 #18 0x7f91d0a09df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990 #19 0x7f91d0a0ba24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163 #20 0x7f91d0a13e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849 #21 0x7f91d120f0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338 #22 0x7f91d2c60514 in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3401 #23 0x7f91d2c617e6 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3530 #24 0x7f91d1d10b47 in go_file_opener_open_real app/file.c:159 #25 0x7f91d1d12550 in go_file_opener_open app/file.c:417 #26 0x7f91d2bf0331 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #27 0x7f91d2bf07cb in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #28 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #29 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #30 0x7f91cb3217ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #31 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8) 0x7f91d20c4610 is located 48 bytes to the left of global variable '*.LC593' from 'utils/go-format.c' (0x7f91d20c4640) of size 2 '*.LC593' is ascii string 'Y' 0x7f91d20c4610 is located 0 bytes to the right of global variable 'ops' from 'utils/go-format.c' (0x7f91d20c4600) of size 16 SUMMARY: AddressSanitizer: global-buffer-overflow utils/go-format.c:2562 go_format_parse -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.