GNOME Bugzilla – Bug 751259
Use-after-free in openoffice-read.c:3340 on a fuzzed ods file
Last modified: 2015-06-24 16:59:30 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_001-openoffice-read.c.3340.ods $ ssconvert gnumeric_case_001-openoffice-read.c.3340.ods /tmp/out.gnumeric ==28091==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000324d0 at pc 0x7fdaad9d4de7 bp 0x7ffd693cc370 sp 0x7ffd693cc368 READ of size 4 at 0x6040000324d0 thread T0 #0 0x7fdaad9d4de6 in odf_oo_cell_style_unref gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:3340:26 #1 0x7fdacd105abc in g_slist_foreach gnumeric/glib/glib/gslist.c:878 #2 0x7fdacd105ada in g_slist_free_full gnumeric/glib/glib/gslist.c:172 #3 0x7fdaad9d4ec9 in odf_oo_cell_style_unref gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:3342:3 #4 0x7fdacd0d6519 in g_hash_table_remove_all_nodes.part.0 gnumeric/glib/glib/ghash.c:548 #5 0x7fdacd0d7462 in g_hash_table_remove_all_nodes gnumeric/glib/glib/ghash.c:1425 #6 0x7fdacd0d7462 in g_hash_table_remove_all gnumeric/glib/glib/ghash.c:1428 #7 0x7fdacd0d749d in g_hash_table_destroy gnumeric/glib/glib/ghash.c:1122 #8 0x7fdaad9d2ec4 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13713:2 #9 0x7fdad22a9e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #10 0x7fdad22bd9b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #11 0x7fdad22cb1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #12 0x7fdad3c5534a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #13 0x7fdad3c55f40 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #14 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #15 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #16 0x7fdacc6e278f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #17 0x437c58 in _start (apps/bin/ssconvert+0x437c58) 0x6040000324d0 is located 0 bytes inside of 40-byte region [0x6040000324d0,0x6040000324f8) freed by thread T0 here: #0 0x4be942 in __interceptor_free (apps/bin/ssconvert+0x4be942) #1 0x7fdaad9d4fc5 in odf_oo_cell_style_unref gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:3345:3 #2 0x7fdacd0d6519 in g_hash_table_remove_all_nodes.part.0 gnumeric/glib/glib/ghash.c:548 previously allocated by thread T0 here: #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b) #1 0x7fdacd0ed391 in g_malloc0 gnumeric/glib/glib/gmem.c:127 #2 0x7fdaada7ffff in odf_oo_cell_style_copy gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:3330:21 #3 0x7fdaad9f5aff in oo_style gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:4645:29 #4 0x7fdad16d7395 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #5 0x7fdad16f021d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #6 0x7fdad16eb240 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #7 0x7fdad06b3b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #8 0x7fdad06bf71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #9 0x7fdad06bdbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #10 0x7fdad06c2039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #11 0x7fdad06bdbd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #12 0x7fdad06c2039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #13 0x7fdad06e6684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #14 0x7fdad16d7aa3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #15 0x7fdaad9d2085 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13627:3 #16 0x7fdad22a9e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #17 0x7fdad22bd9b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #18 0x7fdad22cb1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #19 0x7fdad3c5534a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #20 0x7fdad3c55f40 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #21 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #22 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #23 0x7fdacc6e278f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-use-after-free gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:3340 odf_oo_cell_style_unref -- Juha Kylmänen
Looking at the code, I can't find the issue. According to the above we allocated the code in odf_oo_cell_style_copy. Then we apparently call odf_oo_cell_style_unref on it twice. I suspect that this has to do with a conditional formatting style.
If it makes any difference, here is Valgrind's opinion for the testcase: ==23773== Invalid read of size 4 ==23773== at 0x18FC0DCC: odf_oo_cell_style_unref (openoffice-read.c:3340) ==23773== by 0x96FCABC: g_slist_foreach (gslist.c:878) ==23773== by 0x96FCADA: g_slist_free_full (gslist.c:172) ==23773== by 0x18FC0DFF: odf_oo_cell_style_unref (openoffice-read.c:3342) ==23773== by 0x96CD519: g_hash_table_remove_all_nodes.part.0 (ghash.c:548) ==23773== by 0x96CE462: g_hash_table_remove_all_nodes (ghash.c:1425) ==23773== by 0x96CE462: g_hash_table_remove_all (ghash.c:1428) ==23773== by 0x96CE49D: g_hash_table_destroy (ghash.c:1122) ==23773== by 0x18FC056B: openoffice_file_open (openoffice-read.c:13713) ==23773== by 0x55DAABA: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:282) ==23773== by 0x55DFEC7: go_plugin_file_opener_open (go-plugin-service.c:685) ==23773== by 0x55E36B6: go_file_opener_open (file.c:417) ==23773== by 0x50B7ADD: workbook_view_new_from_input (workbook-view.c:1278) ==23773== Address 0x1890eab0 is 0 bytes inside a block of size 40 free'd ==23773== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23773== by 0x18FC0E26: odf_oo_cell_style_unref (openoffice-read.c:3345) ==23773== by 0x96CD519: g_hash_table_remove_all_nodes.part.0 (ghash.c:548) ==23773== by 0x96CE462: g_hash_table_remove_all_nodes (ghash.c:1425) ==23773== by 0x96CE462: g_hash_table_remove_all (ghash.c:1428) ==23773== by 0x96CE49D: g_hash_table_destroy (ghash.c:1122) ==23773== by 0x18FC056B: openoffice_file_open (openoffice-read.c:13713) ==23773== by 0x55DAABA: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:282) ==23773== by 0x55DFEC7: go_plugin_file_opener_open (go-plugin-service.c:685) ==23773== by 0x55E36B6: go_file_opener_open (file.c:417) ==23773== by 0x50B7ADD: workbook_view_new_from_input (workbook-view.c:1278) ==23773== by 0x50B7D2B: workbook_view_new_from_uri (workbook-view.c:1337) ==23773== by 0x40490B: convert (ssconvert.c:721) ==23773== ==23773== ==23773== Process terminating with default action of signal 11 (SIGSEGV) ==23773== General Protection Fault ==23773== at 0x99E0083: __lll_unlock_elision (in /usr/lib/libpthread-2.21.so) ==23773== by 0xE81E26B: ??? (in /usr/lib/nvidia/libEGL.so.352.09) ==23773== by 0xE7AEA21: ??? (in /usr/lib/nvidia/libEGL.so.352.09) ==23773== by 0xE832EA0: ??? (in /usr/lib/nvidia/libEGL.so.352.09) ==23773== by 0x9F24E77: __run_exit_handlers (in /usr/lib/libc-2.21.so) ==23773== by 0x9F24EC4: exit (in /usr/lib/libc-2.21.so) ==23773== by 0x9F0F796: (below main) (in /usr/lib/libc-2.21.so)
What is the type of OOCellStyle::styles supposed to be? odf_oo_cell_style_unref seems to imply that it is a list of OOCellStyle. odf_oo_cell_style_copy seems to imply that it is a list of GnmStyle.
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.