Bug 750858 – Out-of-bounds read in xlsx-read.c:3696 on a fuzzed xlsx file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750858 - Out-of-bounds read in xlsx-read.c:3696 on a fuzzed xlsx file


Summary:	Out-of-bounds read in xlsx-read.c:3696 on a fuzzed xlsx file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-12 14:45 UTC by jutaky
Modified:	2015-06-16 12:31 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-12 14:45:16 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_3283_12700.xlsx

$ ssconvert gnumeric_case_3283_12700.xlsx /tmp/out.gnumeric

==10668==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fad0514bc30 bp 0x7ffee104d710 sp 0x7ffee104d3a0 T0)
    #0 0x7fad0514bc2f in xlsx_wb_name_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3696:3
    #1 0x7fad26c23b81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #2 0x7fad25bed856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #3 0x7fad25bf9d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #4 0x7fad25bf4bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #5 0x7fad25bf9039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #6 0x7fad25bf4bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #7 0x7fad25bf9039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #8 0x7fad25c1d684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #9 0x7fad26c0ec63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #10 0x7fad0513ecd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #11 0x7fad0513d652 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5153:4
    #12 0x7fad277e2c80 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #13 0x7fad277f6804 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #14 0x7fad27804018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #15 0x7fad2918af2a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #16 0x7fad2918bb20 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #17 0x4e0f21 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #18 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9
    #19 0x7fad21c1978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #20 0x437b98 in _start (apps/bin/ssconvert+0x437b98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/xlsx-read.c:3696 xlsx_wb_name_end

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-16 12:31:57 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.