GNOME Bugzilla – Bug 749424
Use-after-free in src/position.c:611 on a fuzzed xls file
Last modified: 2015-05-15 17:11:46 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_20048_600.xls $ ssconvert gnumeric_case_20048_600.xls /tmp/out.gnumeric ==10883==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300007a4d4 at pc 0x7f642d5e275e bp 0x7ffdc168b4b0 sp 0x7ffdc168b4a8 READ of size 4 at 0x60300007a4d4 thread T0 #0 0x7f642d5e275d in gnm_cellpos_equal gnumeric/gnumeric/src/position.c:611:10 #1 0x7f6423818483 in g_hash_table_lookup_node gnumeric/glib/glib/ghash.c:396 #2 0x7f642381961c in g_hash_table_insert_internal gnumeric/glib/glib/ghash.c:1226 #3 0x7f642381967c in g_hash_table_insert gnumeric/glib/glib/ghash.c:1253 #4 0x7f6405e4aaf9 in excel_formula_shared gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2856:2 #5 0x7f6405dcda05 in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2958:11 #6 0x7f6405db3406 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6641:25 #7 0x7f6405d24d44 in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7067:4 #8 0x7f6405d1bfe3 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7173:4 #9 0x7f6405c6e4c5 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #10 0x7f6405c6fd84 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #11 0x7f642ad4c558 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #12 0x7f642ad6bdbd in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #13 0x7f642ad805cb in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #14 0x7f642ddf86f7 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #15 0x7f642ddf92e0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #16 0x4e7171 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #17 0x4e49fc in main gnumeric/gnumeric/src/ssconvert.c:903:9 #18 0x7f6422e1b7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #19 0x438988 in _start (apps/bin/ssconvert+0x438988) 0x60300007a4d4 is located 4 bytes inside of 32-byte region [0x60300007a4d0,0x60300007a4f0) freed by thread T0 here: #0 0x4bf672 in __interceptor_free (apps/bin/ssconvert+0x4bf672) #1 0x7f6423834cde in g_free gnumeric/glib/glib/gmem.c:192 #2 0x7f6405da8a79 in excel_shared_formula_free gnumeric/gnumeric/plugins/excel/ms-excel-read.c:872:3 #3 0x7f642381918c in g_hash_table_insert_node gnumeric/glib/glib/ghash.c:991 #4 0x7f6423819649 in g_hash_table_insert_internal gnumeric/glib/glib/ghash.c:1228 #5 0x7f642381967c in g_hash_table_insert gnumeric/glib/glib/ghash.c:1253 #6 0x7f6405e4aaf9 in excel_formula_shared gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2856:2 #7 0x7f6405dcda05 in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2958:11 #8 0x7f6405db3406 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6641:25 #9 0x7f6405d24d44 in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7067:4 #10 0x7f6405d1bfe3 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7173:4 #11 0x7f6405c6e4c5 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #12 0x7f6405c6fd84 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #13 0x7f642ad4c558 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #14 0x7f642ad6bdbd in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #15 0x7f642ad805cb in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #16 0x7f642ddf86f7 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #17 0x7f642ddf92e0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #18 0x4e7171 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #19 0x4e49fc in main gnumeric/gnumeric/src/ssconvert.c:903:9 #20 0x7f6422e1b7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) previously allocated by thread T0 here: #0 0x4bf952 in __interceptor_malloc (apps/bin/ssconvert+0x4bf952) #1 0x7f6423834b7f in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7f6423834e71 in g_malloc_n gnumeric/glib/glib/gmem.c:336 #3 0x7f6405e49e1d in excel_formula_shared gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2841:7 #4 0x7f6405dcda05 in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2958:11 #5 0x7f6405db3406 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6641:25 #6 0x7f6405d24d44 in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7067:4 #7 0x7f6405d1bfe3 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7173:4 #8 0x7f6405c6e4c5 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #9 0x7f6405c6fd84 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #10 0x7f642ad4c558 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #11 0x7f642ad6bdbd in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #12 0x7f642ad805cb in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #13 0x7f642ddf86f7 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #14 0x7f642ddf92e0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #15 0x4e7171 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #16 0x4e49fc in main gnumeric/gnumeric/src/ssconvert.c:903:9 #17 0x7f6422e1b7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-use-after-free gnumeric/gnumeric/src/position.c:611 gnm_cellpos_equal -- Juha Kylmänen
I don't actually see this. However, I have attempted a fix anyway. Please test.
The fix seems to work. Gnumeric to xls no longer UAFs. Gnumeric to ods on the same file leaks. But do I interpret this right that the leak is elsewhere? ==3081==ERROR: LeakSanitizer: detected memory leaks Direct leak of 12800 byte(s) in 20 object(s) allocated from: #0 0x4bfc95 in realloc (apps/bin/ssconvert+0x4bfc95) #1 0x7f51cb2e4e59 (/usr/lib/libfontconfig.so.1+0x1be59) Indirect leak of 33472 byte(s) in 1046 object(s) allocated from: #0 0x4bf952 in __interceptor_malloc (apps/bin/ssconvert+0x4bf952) #1 0x7f51cb2d458f (/usr/lib/libfontconfig.so.1+0xb58f) Indirect leak of 19703 byte(s) in 1747 object(s) allocated from: #0 0x4bf952 in __interceptor_malloc (apps/bin/ssconvert+0x4bf952) #1 0x7f51cee74f39 in __GI___strdup (/usr/lib/libc.so.6+0x7ff39) Indirect leak of 16384 byte(s) in 512 object(s) allocated from: #0 0x4bfacb in calloc (apps/bin/ssconvert+0x4bfacb) #1 0x7f51cb2e4a7c (/usr/lib/libfontconfig.so.1+0x1ba7c) Indirect leak of 10496 byte(s) in 328 object(s) allocated from: #0 0x4bfacb in calloc (apps/bin/ssconvert+0x4bfacb) #1 0x7f51cb2e55b9 (/usr/lib/libfontconfig.so.1+0x1c5b9) Indirect leak of 7232 byte(s) in 226 object(s) allocated from: #0 0x4bfacb in calloc (apps/bin/ssconvert+0x4bfacb) #1 0x7f51cb2e4ad5 (/usr/lib/libfontconfig.so.1+0x1bad5) Indirect leak of 640 byte(s) in 20 object(s) allocated from: #0 0x4bfacb in calloc (apps/bin/ssconvert+0x4bfacb) #1 0x7f51cb2e4974 (/usr/lib/libfontconfig.so.1+0x1b974) Indirect leak of 480 byte(s) in 10 object(s) allocated from: #0 0x4bf952 in __interceptor_malloc (apps/bin/ssconvert+0x4bf952) #1 0x7f51cb2dfa1d in FcLangSetCreate (/usr/lib/libfontconfig.so.1+0x16a1d)
Those are fontconfig leaks not under our control.