After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 751126 - Segfault in xml-sax-read.c:2396 on a fuzzed .gnumeric file
Segfault in xml-sax-read.c:2396 on a fuzzed .gnumeric file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-06-17 19:06 UTC by jutaky
Modified: 2015-06-18 14:47 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-06-17 19:06:28 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_xml-sax-read.c.2396.gnumeric

$ ssconvert gnumeric_case_xml-sax-read.c.2396.gnumeric /tmp/out.gnumeric

==29004==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x7f09a02212d6 bp 0x7ffffd7ec0f0 sp 0x7ffffd7eb878 T0)
    #0 0x7f09a02212d5 in __memmove_ssse3_back (/usr/lib/libc.so.6+0x1392d5)
    #1 0x4a8085 in __asan_memcpy (apps/bin/ssconvert+0x4a8085)
    #2 0x7f09a77b3f10 in xml_sax_read_obj gnumeric/gnumeric/src/xml-sax-read.c:2396:2
    #3 0x7f09a77bd432 in xml_sax_unknown gnumeric/gnumeric/src/xml-sax-read.c:3253:4
    #4 0x7f09a5111edb in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:812:14
    #5 0x7f09a40d9b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #6 0x7f09a40e571f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #7 0x7f09a40e3bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7f09a40e8039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7f09a40e3bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7f09a40e8039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7f09a40e3bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #12 0x7f09a40e8039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #13 0x7f09a40e3bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #14 0x7f09a40e8039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #15 0x7f09a410c684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #16 0x7f09a50fdc63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #17 0x7f09a777380a in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3406:7
    #18 0x7f09a7779570 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3535:7
    #19 0x7f09a5d05cd4 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #20 0x7f09a5cf3018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #21 0x7f09a767a00a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #22 0x7f09a767ac00 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #23 0x4e0dc1 in convert gnumeric/gnumeric/src/ssconvert.c:719:9
    #24 0x4dec1e in main gnumeric/gnumeric/src/ssconvert.c:910:9
    #25 0x7f09a010878f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #26 0x437ae8 in _start (apps/bin/ssconvert+0x437ae8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 __memmove_ssse3_back

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-06-18 14:47:04 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.

If it wasn't for the fact that you found this with fuzzing, I would have
bet good money against fuzzing finding this particular bug.  The odds must
have been really low.