After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 751217 - Heap-buffer overread in xml-sax-read.c:439 on a fuzzed .gnumeric file
Heap-buffer overread in xml-sax-read.c:439 on a fuzzed .gnumeric file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-06-19 12:33 UTC by jutaky
Modified: 2015-06-29 15:45 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Proposed patch (1.18 KB, patch)
2015-06-23 06:47 UTC, Jean Bréfort 		committed Details | Review

Description jutaky 2015-06-19 12:33:05 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_xml-sax-read.c.439.gnumeric

$ ssconvert gnumeric_case_xml-sax-read.c.439.gnumeric /tmp/out.gnumeric

==5115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000054e70 at pc 0x7f0acd670982 bp 0x7ffeb1e5ddd0 sp 0x7ffeb1e5ddc8
READ of size 8 at 0x607000054e70 thread T0
    #0 0x7f0acd670981 in gnm_xml_finish_obj gnumeric/gnumeric/src/xml-sax-read.c:439:27
    #1 0x7f0acafd2054 in gsf_xml_in_ext_free gnumeric/libgsf/gsf/gsf-libxml.c:840:4
    #2 0x7f0acafd0e0d in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:910:4
    #3 0x7f0ac9f99856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #4 0x7f0ac9fa5d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #5 0x7f0ac9fa0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #6 0x7f0ac9fa5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #7 0x7f0ac9fa0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7f0ac9fa5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7f0ac9fa0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7f0ac9fa5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7f0ac9fa0bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #12 0x7f0ac9fa5039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #13 0x7f0ac9fc9684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #14 0x7f0acafbaaa3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #15 0x7f0acd631b4a in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3409:7
    #16 0x7f0acd6378b0 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3538:7
    #17 0x7f0acbbc0e84 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #18 0x7f0acbbae1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #19 0x7f0acd53834a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #20 0x7f0acd538f40 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #21 0x4e0dc1 in convert gnumeric/gnumeric/src/ssconvert.c:719:9
    #22 0x4dec1e in main gnumeric/gnumeric/src/ssconvert.c:910:9
    #23 0x7f0ac5fc578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #24 0x437ae8 in _start (apps/bin/ssconvert+0x437ae8)

0x607000054e70 is located 8 bytes to the right of 72-byte region [0x607000054e20,0x607000054e68)
allocated by thread T0 here:
    #0 0x4bec2b in calloc (apps/bin/ssconvert+0x4bec2b)
    #1 0x7f0ac69d0391 in g_malloc0 gnumeric/glib/glib/gmem.c:127

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/src/xml-sax-read.c:439 gnm_xml_finish_obj

--
Juha Kylmänen
Comment 1 Jean Bréfort 2015-06-23 04:43:27 UTC 
This one is quite serious. I'm getting a crash when running standalone or inside valgrind. Somehow the xin->state pushed in gog_object_sax_push_parser() is destroyed but not popped. Looks like a Gsf bug then.
Comment 2 Jean Bréfort 2015-06-23 06:47:10 UTC 
Created attachment 305891 [details] [review]
Proposed patch

OK, definitely a gnumeric bug. gnm_xml_finish_object() might be called with a wrong state if the object parser changes the user state. Please review this patch.
Comment 3 Morten Welinder 2015-06-23 13:50:54 UTC 
Probably ok.  Note the similarities to bug 748595 and
commit ea41a40ed55fb5af5e499d058c99e1599ab5896f
Comment 4 Jean Bréfort 2015-06-23 14:07:57 UTC 
Review of attachment 305891 [details] [review]:

patch applied
Comment 5 Jean Bréfort 2015-06-23 14:08:14 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.
Comment 6 jutaky 2015-06-29 14:55:08 UTC 
This case still leaks a bit:

$ ssconvert gnumeric_case_xml-sax-read.c.439.gnumeric /tmp/out.gnumeric

==30863==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b)
    #1 0x7f491d622391 in g_malloc0 gnumeric/glib/glib/gmem.c:127
    #2 0x7f4923fa7602 in gnm_sog_prep_sax_parser gnumeric/gnumeric/src/sheet-object-graph.c:438:3
    #3 0x7f49242c41f4 in xml_sax_read_obj gnumeric/gnumeric/src/xml-sax-read.c:2429:4
    #4 0x7f49242cc3d2 in xml_sax_unknown gnumeric/gnumeric/src/xml-sax-read.c:3257:4
    #5 0x7f4921c20ccb in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:812:14
    #6 0x7f4920be8d80 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #7 0x7f4920bf493f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #8 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #11 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #12 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #13 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #14 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #15 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #16 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #17 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #18 0x7f4920c1b8a4 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10857:2
    #19 0x7f4921c0ca53 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #20 0x7f492428267a in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3410:7
    #21 0x7f49242883e0 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3539:7
    #22 0x7f4922810e84 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #23 0x7f49227fe1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #24 0x7f4924188e7a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #25 0x7f4924189a70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #26 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #27 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #28 0x7f491cc1778f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)

Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4bec22 in __interceptor_malloc (apps/bin/ssconvert+0x4bec22)
    #1 0x7f491d622339 in g_malloc gnumeric/glib/glib/gmem.c:97
    #2 0x7f492293ac43 in gog_object_sax_push_parser gnumeric/goffice/goffice/graph/gog-object-xml.c:541:2
    #3 0x7f4923fa7602 in gnm_sog_prep_sax_parser gnumeric/gnumeric/src/sheet-object-graph.c:438:3
    #4 0x7f49242c41f4 in xml_sax_read_obj gnumeric/gnumeric/src/xml-sax-read.c:2429:4
    #5 0x7f49242cc3d2 in xml_sax_unknown gnumeric/gnumeric/src/xml-sax-read.c:3257:4
    #6 0x7f4921c20ccb in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:812:14
    #7 0x7f4920be8d80 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #8 0x7f4920bf493f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #9 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #12 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #13 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #14 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #15 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #16 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #17 0x7f4920bf2df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #18 0x7f4920bf7259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #19 0x7f4920c1b8a4 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10857:2
    #20 0x7f4921c0ca53 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #21 0x7f492428267a in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3410:7
    #22 0x7f49242883e0 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3539:7
    #23 0x7f4922810e84 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #24 0x7f49227fe1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #25 0x7f4924188e7a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #26 0x7f4924189a70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #27 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #28 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #29 0x7f491cc1778f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: 104 byte(s) leaked in 2 allocation(s).
Comment 7 Morten Welinder 2015-06-29 15:45:35 UTC 
I don't think we care about such a leak unless it's big or otherwise
causes further trouble.