GNOME Bugzilla – Bug 750864
Use-after-free in mstyle.c:2229 on a fuzzed xlsx file
Last modified: 2015-06-12 18:26:11 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_3637_3264.xlsx $ ssconvert gnumeric_case_3637_3264.xlsx /tmp/out.gnumeric ==27442==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000066e20 at pc 0x7f664dbf268c bp 0x7ffc6577a4d0 sp 0x7ffc6577a4c8 READ of size 4 at 0x603000066e20 thread T0 #0 0x7f664dbf268b in gnm_style_dump_border gnumeric/gnumeric/src/mstyle.c:2229:23 #1 0x7f664dbefeb3 in gnm_style_dump gnumeric/gnumeric/src/mstyle.c:2247:4 #2 0x7f664dbf298d in cb_gnm_style_pool_leak gnumeric/gnumeric/src/mstyle.c:2334:2 #3 0x7f66475f3abc in g_slist_foreach gnumeric/glib/glib/gslist.c:878 #4 0x7f664cee8e47 in go_mem_chunk_foreach_leak gnumeric/goffice/goffice/utils/go-glib-extras.c:722:2 #5 0x7f664dbf276a in gnm_style_shutdown gnumeric/gnumeric/src/mstyle.c:2342:2 #6 0x7f664daba16a in gnm_shutdown gnumeric/gnumeric/src/libgnumeric.c:396:2 #7 0x4dee28 in main gnumeric/gnumeric/src/ssconvert.c:913:2 #8 0x7f6646bd078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #9 0x437b98 in _start (apps/bin/ssconvert+0x437b98) ASAN:SIGSEGV ==27442==AddressSanitizer: while reporting a bug found another one. Ignoring. -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.