After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 751851 - Out-of-bounds read in openoffice-read.c:9558 on a fuzzed ods file
Out-of-bounds read in openoffice-read.c:9558 on a fuzzed ods file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-07-02 16:02 UTC by jutaky
Modified: 2015-07-03 02:24 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2015-07-02 16:02:51 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-openoffice-read.c.9558.ods

$ ssconvert gnumeric_case_002-openoffice-read.c.9558.ods /tmp/out.gnumeric

==20642==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fcbc83d7145 bp 0x7fff948e7e50 sp 0x7fff948e7ac0 T0)
    #0 0x7fcbc83d7144 in od_series_reg_equation gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9558:32
    #1 0x7fcbec083ce5 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #2 0x7fcbec09cbed in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #3 0x7fcbec097c12 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #4 0x7fcbeb05fd80 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #5 0x7fcbeb06b93f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #6 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #7 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #8 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #11 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #12 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #13 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #14 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #15 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #16 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #17 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #18 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #19 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #20 0x7fcbeb0928a4 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10857:2
    #21 0x7fcbec0843f3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #22 0x7fcbc840c2f5 in od_draw_object gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8354:3
    #23 0x7fcbec083ce5 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #24 0x7fcbec09cbed in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #25 0x7fcbec097c12 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #26 0x7fcbeb05fd80 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6
    #27 0x7fcbeb06b93f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9
    #28 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #29 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #30 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #31 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #32 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #33 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #34 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #35 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #36 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #37 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #38 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #39 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #40 0x7fcbeb069df3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #41 0x7fcbeb06e259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #42 0x7fcbeb0928a4 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10857:2
    #43 0x7fcbec0843f3 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #44 0x7fcbc837f271 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13646:24
    #45 0x7fcbecc51e30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #46 0x7fcbecc659b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #47 0x7fcbecc731c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #48 0x7fcbee5f2854 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #49 0x7fcbee5f3440 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #50 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #51 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #52 0x7fcbe708e78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #53 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:9558 od_series_reg_equation

--
Juha Kylmänen
Comment 1 Andreas J. Guelzow 2015-07-03 02:24:12 UTC
This problem has been fixed in the unstable development version. The fix will be available in the next major software release. You may need to upgrade your Linux distribution to obtain that newer version.