Bug 751662 – Stack-overflow in ms-excel-read.c:1018 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751662 - Stack-overflow in ms-excel-read.c:1018 on a fuzzed xls file


Summary:	Stack-overflow in ms-excel-read.c:1018 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-29 15:33 UTC by jutaky
Modified:	2015-07-01 19:12 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-29 15:33:34 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_009-ms-excel-read.c.1018.xls

$ ssconvert gnumeric_case_009-ms-excel-read.c.1018.xls /tmp/out.gnumeric

==17916==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc880fc820 (pc 0x7f5d21756283 bp 0x7ffe880f0d30 sp 0x7ffc880fc820 T0)
    #0 0x7f5d21756282 in excel_get_chars gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1018:4
    #1 0x7f5d21757fc5 in excel_get_text gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1083:8
    #2 0x7f5d21a16d8c in xls_read_SXVIEW gnumeric/gnumeric/plugins/excel/xls-read-pivot.c:752:3
    #3 0x7f5d217bcd52 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6882:21
    #4 0x7f5d2177061f in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7105:4
    #5 0x7f5d2176b7d5 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7211:4
    #6 0x7f5d216fe001 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4
    #7 0x7f5d216ffa54 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #8 0x7f5d440f9e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #9 0x7f5d4410d9b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #10 0x7f5d4411b1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #11 0x7f5d45aa5e7a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #12 0x7f5d45aa6a70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #13 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #14 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #15 0x7f5d3e53478f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #16 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

SUMMARY: AddressSanitizer: stack-overflow gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1018 excel_get_chars

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-07-01 19:12:29 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.