After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 751501 - Use-after-free in openoffice-read.c:9808 on a fuzzed ods file
Use-after-free in openoffice-read.c:9808 on a fuzzed ods file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-06-25 14:00 UTC by jutaky
Modified: 2015-06-28 03:05 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-06-25 14:00:04 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-openoffice-read.c.9808.ods

$ ssconvert gnumeric_case_002-openoffice-read.c.9808.ods /tmp/out.gnumeric

==12480==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400004a3d4 at pc 0x7ff9fe0c8e11 bp 0x7ffd01b95350 sp 0x7ffd01b95348
READ of size 4 at 0x60400004a3d4 thread T0
    #0 0x7ff9fe0c8e10 in oo_chart gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9808:30
    #1 0x7ffa21d8a505 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #2 0x7ffa21da338d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #3 0x7ffa21d9e3b0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #4 0x7ffa20d66b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #5 0x7ffa20d7271f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #6 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #7 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #8 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #11 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #12 0x7ffa20d99684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #13 0x7ffa21d8ac13 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #14 0x7ff9fe112975 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8338:3
    #15 0x7ffa21d8a505 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #16 0x7ffa21da338d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #17 0x7ffa21d9e3b0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #18 0x7ffa20d66b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #19 0x7ffa20d7271f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #20 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #21 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #22 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #23 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #24 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #25 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #26 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #27 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #28 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #29 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #30 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #31 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #32 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #33 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #34 0x7ffa20d99684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #35 0x7ffa21d8ac13 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #36 0x7ff9fe0862f1 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13632:24
    #37 0x7ffa2295ce30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #38 0x7ffa229709b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #39 0x7ffa2297e1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #40 0x7ffa2430973a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #41 0x7ffa2430a330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #42 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #43 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #44 0x7ffa1cd9578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #45 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

0x60400004a3d4 is located 4 bytes inside of 48-byte region [0x60400004a3d0,0x60400004a400)
freed by thread T0 here:
    #0 0x4be942 in __interceptor_free (apps/bin/ssconvert+0x4be942)
    #1 0x7ff9fe089823 in oo_chart_style_free gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:10021:2
    #2 0x7ff9fe0ac91d in oo_style_end gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:4767:4
    #3 0x7ffa21d9fb31 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #4 0x7ffa20d69856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #5 0x7ffa20d75d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #6 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #7 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #8 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7ffa20d99684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #11 0x7ffa21d8ac13 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #12 0x7ff9fe112975 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8338:3
    #13 0x7ffa21d8a505 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #14 0x7ffa21da338d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #15 0x7ffa21d9e3b0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #16 0x7ffa20d66b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #17 0x7ffa20d7271f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #18 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #19 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #20 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #21 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #22 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #23 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #24 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #25 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #26 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #27 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #28 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #29 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5

previously allocated by thread T0 here:
    #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b)
    #1 0x7ffa1d7a0391 in g_malloc0 gnumeric/glib/glib/gmem.c:127
    #2 0x7ffa21d8a505 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #3 0x7ffa21da338d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #4 0x7ffa21d9e3b0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #5 0x7ffa20d66b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #6 0x7ffa20d7271f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #7 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7ffa20d99684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #12 0x7ffa21d8ac13 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #13 0x7ff9fe112975 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8338:3
    #14 0x7ffa21d8a505 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #15 0x7ffa21da338d in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #16 0x7ffa21d9e3b0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #17 0x7ffa20d66b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #18 0x7ffa20d7271f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #19 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #20 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #21 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #22 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #23 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #24 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #25 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #26 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #27 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #28 0x7ffa20d75039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #29 0x7ffa20d70bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6

SUMMARY: AddressSanitizer: heap-use-after-free gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9808 oo_chart

--
Juha Kylmänen
Comment 1 Andreas J. Guelzow 2015-06-27 05:11:57 UTC 
This problem has been fixed in the unstable development version. The fix will be available in the next major software release. You may need to upgrade your Linux distribution to obtain that newer version.
Comment 2 jutaky 2015-06-27 07:19:18 UTC 
The uaf is still there for the test case. Moved to line 9820:

==6438==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400004a094 at pc 0x7f417d320581 bp 0x7ffebafd3690 sp 0x7ffebafd3688
READ of size 4 at 0x60400004a094 thread T0
    #0 0x7f417d320580 in oo_chart gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9820:30
    #1 0x7f41a0fe2345 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #2 0x7f41a0ffb1cd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #3 0x7f41a0ff61f0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #4 0x7f419ffbeb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #5 0x7f419ffca71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #6 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #7 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #8 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #11 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #12 0x7f419fff1684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #13 0x7f41a0fe2a53 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #14 0x7f417d36a2f5 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8350:3
    #15 0x7f41a0fe2345 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #16 0x7f41a0ffb1cd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #17 0x7f41a0ff61f0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #18 0x7f419ffbeb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #19 0x7f419ffca71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #20 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #21 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #22 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #23 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #24 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #25 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #26 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #27 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #28 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #29 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #30 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #31 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #32 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #33 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #34 0x7f419fff1684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #35 0x7f41a0fe2a53 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #36 0x7f417d2dd281 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13644:24
    #37 0x7f41a1bb2e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #38 0x7f41a1bc69b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #39 0x7f41a1bd41c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #40 0x7f41a355f71a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #41 0x7f41a3560310 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #42 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #43 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #44 0x7f419bfed78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #45 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

0x60400004a094 is located 4 bytes inside of 48-byte region [0x60400004a090,0x60400004a0c0)
freed by thread T0 here:
    #0 0x4be942 in __interceptor_free (apps/bin/ssconvert+0x4be942)
    #1 0x7f417d2e07c3 in oo_chart_style_free gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:10033:2
    #2 0x7f417d2e86a9 in odf_free_cur_style gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:4620:4
    #3 0x7f417d304314 in oo_style_end gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:4790:2
    #4 0x7f41a0ff7971 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #5 0x7f419ffc1856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #6 0x7f419ffcdd3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #7 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7f419fff1684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #12 0x7f41a0fe2a53 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #13 0x7f417d36a2f5 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8350:3
    #14 0x7f41a0fe2345 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #15 0x7f41a0ffb1cd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #16 0x7f41a0ff61f0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #17 0x7f419ffbeb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #18 0x7f419ffca71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #19 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #20 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #21 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #22 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #23 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #24 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #25 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #26 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #27 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #28 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #29 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6

previously allocated by thread T0 here:
    #0 0x4bed9b in calloc (apps/bin/ssconvert+0x4bed9b)
    #1 0x7f419c9f8391 in g_malloc0 gnumeric/glib/glib/gmem.c:127
    #2 0x7f41a0fe2345 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #3 0x7f41a0ffb1cd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #4 0x7f41a0ff61f0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #5 0x7f419ffbeb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #6 0x7f419ffca71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #7 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7f419fff1684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #12 0x7f41a0fe2a53 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #13 0x7f417d36a2f5 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8350:3
    #14 0x7f41a0fe2345 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #15 0x7f41a0ffb1cd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #16 0x7f41a0ff61f0 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #17 0x7f419ffbeb60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #18 0x7f419ffca71f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #19 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #20 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #21 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #22 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #23 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #24 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #25 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #26 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #27 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #28 0x7f419ffcd039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #29 0x7f419ffc8bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6

SUMMARY: AddressSanitizer: heap-use-after-free gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9820 oo_chart
Comment 3 Andreas J. Guelzow 2015-06-28 03:05:33 UTC 
This problem has been fixed in the unstable development version. The fix will be available in the next major software release. You may need to upgrade your Linux distribution to obtain that newer version.