After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 750044 - Heap-buffer overread in excel/ms-excel-read.c:1656 on a fuzzed xls file
Heap-buffer overread in excel/ms-excel-read.c:1656 on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-05-28 14:57 UTC by jutaky
Modified: 2015-06-01 14:59 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-05-28 14:57:43 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_ms-excel-read.c.1656.xls

$ ssconvert gnumeric_case_ms-excel-read.c.1656.xls /tmp/out.gnumeric

==27365==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b8cdc at pc 0x7f070fa95fa4 bp 0x7fff3e5e9690 sp 0x7fff3e5e9680
READ of size 1 at 0x6020001b8cdc thread T0
    #0 0x7f070fa95fa3 in excel_read_FONT gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1656
    #1 0x7f070fabb7ab in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7185
    #2 0x7f070fa6a3e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193
    #3 0x7f070fa6ab33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273
    #4 0x7f07335bc337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #5 0x7f07335c4e48 in go_plugin_file_opener_open app/go-plugin-service.c:685
    #6 0x7f07335ca79c in go_file_opener_open app/file.c:417
    #7 0x7f07343a7096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #8 0x7f07343a7427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #9 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715
    #10 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903
    #11 0x7f072d9d17ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #12 0x4049c8 in _start (apps/bin/ssconvert+0x4049c8)

0x6020001b8cdc is located 0 bytes to the right of 12-byte region [0x6020001b8cd0,0x6020001b8cdc)
allocated by thread T0 here:
    #0 0x7f0734dfe7a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7f072dfccb7f in g_malloc gnumeric/glib/glib/gmem.c:97
    #2 0x7f070fa6f44b in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:486
    #3 0x7f070fab964f in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7162
    #4 0x7f070fa6a3e6 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193
    #5 0x7f070fa6ab33 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273
    #6 0x7f07335bc337 in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #7 0x7f07335c4e48 in go_plugin_file_opener_open app/go-plugin-service.c:685
    #8 0x7f07335ca79c in go_file_opener_open app/file.c:417
    #9 0x7f07343a7096 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #10 0x7f07343a7427 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #11 0x406300 in convert gnumeric/gnumeric/src/ssconvert.c:715
    #12 0x40487a in main gnumeric/gnumeric/src/ssconvert.c:903
    #13 0x7f072d9d17ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1656 excel_read_FONT


--
Juha Kylmänen
Comment 1 Morten Welinder 2015-06-01 14:59:31 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.