After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 749240 - Heap-buffer overflow in plugins/sc/sc.c on a fuzzed .sc file
Heap-buffer overflow in plugins/sc/sc.c on a fuzzed .sc file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-05-11 18:37 UTC by jutaky
Modified: 2015-05-11 23:28 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-05-11 18:37:15 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_24118_74455.sc

$ ssconvert gnumeric_case_24118_74455.sc /tmp/out.gnumeric

==28684==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001f602f at pc 0x7faf15b4cb6d bp 0x7fff7859a7c0 sp 0x7fff7859a7b0
WRITE of size 1 at 0x6020001f602f thread T0
    #0 0x7faf15b4cb6c in sc_parse_label gnumeric/gnumeric/plugins/sc/sc.c:604
    #1 0x7faf15b4ed1c in sc_parse_line gnumeric/gnumeric/plugins/sc/sc.c:907
    #2 0x7faf15b4f01a in sc_parse_sheet gnumeric/gnumeric/plugins/sc/sc.c:931
    #3 0x7faf15b4f8fd in sc_file_open gnumeric/gnumeric/plugins/sc/sc.c:1038
    #4 0x7faf3a6683af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #5 0x7faf3a66e4fa in go_plugin_file_opener_open app/go-plugin-service.c:685
    #6 0x7faf3a676550 in go_file_opener_open app/file.c:417
    #7 0x7faf3b5544ff in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #8 0x7faf3b554999 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #9 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #10 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #11 0x7faf33c847ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #12 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

0x6020001f602f is located 1 bytes to the left of 2-byte region [0x6020001f6030,0x6020001f6032)
allocated by thread T0 here:
    #0 0x7faf3c0407a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7faf3427fb7f in g_malloc gnumeric/glib/glib/gmem.c:97
    #2 0x7faf3427fe71 in g_malloc_n gnumeric/glib/glib/gmem.c:336
    #3 0x7faf3429b433 in g_strdup gnumeric/glib/glib/gstrfuncs.c:356
    #4 0x7faf15b4c99a in sc_parse_label gnumeric/gnumeric/plugins/sc/sc.c:589
    #5 0x7faf15b4ed1c in sc_parse_line gnumeric/gnumeric/plugins/sc/sc.c:907
    #6 0x7faf15b4f01a in sc_parse_sheet gnumeric/gnumeric/plugins/sc/sc.c:931
    #7 0x7faf15b4f8fd in sc_file_open gnumeric/gnumeric/plugins/sc/sc.c:1038
    #8 0x7faf3a6683af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #9 0x7faf3a66e4fa in go_plugin_file_opener_open app/go-plugin-service.c:685
    #10 0x7faf3a676550 in go_file_opener_open app/file.c:417
    #11 0x7faf3b5544ff in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #12 0x7faf3b554999 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #13 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #14 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #15 0x7faf33c847ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/sc/sc.c:604 sc_parse_label

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-05-11 23:28:30 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.