Bug 751257 – Heap-buffer-overflow in xl-surface.c:161 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751257 - Heap-buffer-overflow in xl-surface.c:161 on a fuzzed xls file


Summary:	Heap-buffer-overflow in xl-surface.c:161 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-20 11:55 UTC by jutaky
Modified:	2015-06-21 06:53 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-20 11:55:10 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_006-xl-surface.c.161.xls

$ ssconvert gnumeric_case_006-xl-surface.c.161.xls /tmp/out.gnumeric

==19172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000075ec8 at pc 0x7fe09b532273 bp 0x7ffc04db2250 sp 0x7ffc04db2248
WRITE of size 8 at 0x603000075ec8 thread T0
    #0 0x7fe09b532272 in get_y_vector gnumeric/goffice/plugins/plot_surface/xl-surface.c:161:3
    #1 0x7fe09b52f4bd in xl_xyz_plot_axis_get_bounds gnumeric/goffice/plugins/plot_surface/xl-surface.c:184:9
    #2 0x7fe0c0abd208 in gog_plot_get_axis_bounds gnumeric/goffice/goffice/graph/gog-plot.c:855:10
    #3 0x7fe0c0981787 in gog_axis_update gnumeric/goffice/goffice/graph/gog-axis.c:2656:12
    #4 0x7fe0c0898e56 in gog_object_update gnumeric/goffice/goffice/graph/gog-object.c:1611:6
    #5 0x7fe0c0898a07 in gog_object_update gnumeric/goffice/goffice/graph/gog-object.c:1604:3
    #6 0x7fe0c0898a07 in gog_object_update gnumeric/goffice/goffice/graph/gog-object.c:1604:3
    #7 0x7fe0c08f420a in cb_graph_idle gnumeric/goffice/goffice/graph/gog-graph.c:849:2
    #8 0x7fe0bb59b939 in g_main_dispatch gnumeric/glib/glib/gmain.c:3122
    #9 0x7fe0bb59b939 in g_main_context_dispatch gnumeric/glib/glib/gmain.c:3737
    #10 0x7fe0bb59bcb7 in g_main_context_iterate.isra.29 gnumeric/glib/glib/gmain.c:3808
    #11 0x7fe0bb59bd5b in g_main_context_iteration gnumeric/glib/glib/gmain.c:3869
    #12 0x7fe0bdb4d130 in gtk_main_iteration_do (/usr/lib/libgtk-3.so.0+0x207130)
    #13 0x7fe0c0799f7d in go_io_progress_update gnumeric/goffice/goffice/app/io-context.c:312:4
    #14 0x7fe0c079e261 in go_io_value_progress_update gnumeric/goffice/goffice/app/io-context.c:410:2
    #15 0x7fe09bbc21f9 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6627:7
    #16 0x7fe09bb7589f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7093:4
    #17 0x7fe09bb70a55 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7199:4
    #18 0x7fe09bb03807 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #19 0x7fe09bb04e94 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #20 0x7fe0c075de30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #21 0x7fe0c07719b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #22 0x7fe0c077f1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #23 0x7fe0c210934a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #24 0x7fe0c2109f40 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #25 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #26 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #27 0x7fe0bab9678f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #28 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

0x603000075ec8 is located 0 bytes to the right of 24-byte region [0x603000075eb0,0x603000075ec8)
allocated by thread T0 here:
    #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b)
    #1 0x7fe0bb5a1391 in g_malloc0 gnumeric/glib/glib/gmem.c:127
    #2 0x7fe09b52f4bd in xl_xyz_plot_axis_get_bounds gnumeric/goffice/plugins/plot_surface/xl-surface.c:184:9
    #3 0x7fe0c0abd208 in gog_plot_get_axis_bounds gnumeric/goffice/goffice/graph/gog-plot.c:855:10
    #4 0x7fe0c0981787 in gog_axis_update gnumeric/goffice/goffice/graph/gog-axis.c:2656:12
    #5 0x7fe0c0898e56 in gog_object_update gnumeric/goffice/goffice/graph/gog-object.c:1611:6
    #6 0x7fe0c0898a07 in gog_object_update gnumeric/goffice/goffice/graph/gog-object.c:1604:3
    #7 0x7fe0c0898a07 in gog_object_update gnumeric/goffice/goffice/graph/gog-object.c:1604:3
    #8 0x7fe0c08f420a in cb_graph_idle gnumeric/goffice/goffice/graph/gog-graph.c:849:2
    #9 0x7fe0bb59b939 in g_main_dispatch gnumeric/glib/glib/gmain.c:3122
    #10 0x7fe0bb59b939 in g_main_context_dispatch gnumeric/glib/glib/gmain.c:3737

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/goffice/plugins/plot_surface/xl-surface.c:161 get_y_vector

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-06-21 06:53:21 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.