GNOME Bugzilla – Bug 749236
Use-after-free in gnm_func_get_name on a fuzzed .gnumeric file
Last modified: 2015-05-11 18:27:59 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_2278_314370.gnumeric $ ssconvert gnumeric_case_2278_314370.gnumeric /tmp/out.gnumeric ==28776==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0006c1e40 at pc 0x7f8963a046d6 bp 0x7ffd18ce1840 sp 0x7ffd18ce1830 READ of size 8 at 0x60c0006c1e40 thread T0 #0 0x7f8963a046d5 in gnm_func_get_name gnumeric/gnumeric/src/func.c:1528 #1 0x7f8963b5b92d in std_expr_func_handler gnumeric/gnumeric/src/parse-util.c:1250 #2 0x7f89639db054 in do_expr_as_string gnumeric/gnumeric/src/expr.c:1747 #3 0x7f89639dbff6 in gnm_expr_as_string gnumeric/gnumeric/src/expr.c:1859 #4 0x7f89639e8304 in cb_expression_pool_leak gnumeric/gnumeric/src/expr.c:3428 #5 0x7f895ca45c7f in g_slist_foreach gnumeric/glib/glib/gslist.c:878 #6 0x7f8963078d62 in go_mem_chunk_foreach_leak utils/go-glib-extras.c:722 #7 0x7f89639e83f5 in _gnm_expr_shutdown gnumeric/gnumeric/src/expr.c:3438 #8 0x7f8963a89615 in gnm_shutdown gnumeric/gnumeric/src/libgnumeric.c:388 #9 0x409507 in main gnumeric/gnumeric/src/ssconvert.c:913 #10 0x7f895c42f7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #11 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8) Another leak? -- Juha Kylmänen
Yes. This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.