After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 751852 - Out-of-bounds read in func-builtin.c:199 on a fuzzed ods file
Out-of-bounds read in func-builtin.c:199 on a fuzzed ods file
Status: RESOLVED DUPLICATE of bug 751871
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-07-02 16:04 UTC by jutaky
Modified: 2015-07-03 03:41 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-07-02 16:04:02 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-func-builtin.c.199.ods

$ ssconvert gnumeric_case_001-func-builtin.c.199.ods /tmp/out.gnumeric

==20371==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f8b6e6695b6 bp 0x7ffed48ee230 sp 0x7ffed48ed940 T0)
    #0 0x7f8b6e6695b5 in gnumeric_table gnumeric/gnumeric/src/func-builtin.c:199:25
    #1 0x7f8b6e656c02 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #2 0x7f8b6e5cb94d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #3 0x7f8b6e5f32a4 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #4 0x7f8b6e5ba754 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #5 0x7f8b6e5b8c37 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #6 0x7f8b6e57df0d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #7 0x7f8b6e596c82 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #8 0x7f8b6ee54b3a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #9 0x7f8b6ee55440 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #10 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #11 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #12 0x7f8b678f078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #13 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/func-builtin.c:199 gnumeric_table

--
Juha Kylmänen
Comment 1 Andreas J. Guelzow 2015-07-03 02:29:21 UTC 
I am unable to extract content.xml from this ods archive.
Comment 2 Andreas J. Guelzow 2015-07-03 03:40:02 UTC 
Thanks for taking the time to report this.
This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 51871 ***
Comment 3 Andreas J. Guelzow 2015-07-03 03:40:26 UTC 

*** This bug has been marked as a duplicate of bug 751871 ***
Comment 4 Andreas J. Guelzow 2015-07-03 03:41:53 UTC 
Please note that the bug number in comment #2 is wrong, this is a duplicate of bug #751871 which is unrelated to fuzzed files (or the ods importer).