After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 752022 - SIGTRAP from ms-escher.c:161 on a fuzzed xls file
SIGTRAP from ms-escher.c:161 on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-07-06 14:39 UTC by jutaky
Modified: 2015-07-07 00:10 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-07-06 14:39:48 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-ms-escher.c.161.xls

$ ssconvert gnumeric_case_002-ms-escher.c.161.xls /tmp/out.gnumeric

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff329cc33 in _g_log_abort (breakpoint=1) at gmessages.c:316
316	    G_BREAKPOINT ();
(gdb) bt

+ Trace 235235

  • #0 _g_log_abort
    at gmessages.c line 316
  • #1 g_logv
    at gmessages.c line 1073
  • #2 g_log
    at gmessages.c line 1111
  • #3 g_malloc
    at gmem.c line 102
  • #4 g_memdup
    at gstrfuncs.c line 384
  • #5 ms_escher_blip_new
    at ms-escher.c line 161
  • #6 ms_escher_read_Blip
    at ms-escher.c line 516
  • #7 ms_escher_read_container
    at ms-escher.c line 2166
  • #8 ms_escher_parse
    at ms-escher.c line 2241
  • #9 excel_read_workbook
    at ms-excel-read.c line 7323
  • #10 excel_enc_file_open
    at boot.c line 170
  • #11 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #12 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #13 go_file_opener_open
    at app/file.c line 417
  • #14 workbook_view_new_from_input
    at workbook-view.c line 1278
  • #15 workbook_view_new_from_uri
    at workbook-view.c line 1337
  • #16 convert
    at ssconvert.c line 715
  • #17 main
    at ssconvert.c line 901 

--
Juha Kylmänen
Comment 1 Andreas J. Guelzow 2015-07-06 18:57:55 UTC 
g_memdup (mem=0x7ffff7fb8025, byte_size=4294967279)

So you ran out of memory?
Comment 2 Morten Welinder 2015-07-06 23:54:17 UTC 
Andreas: yes, but chances are that we could detect that crazy size as invalid.
Comment 3 Morten Welinder 2015-07-07 00:10:01 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.