Bug 752178 – Null pointer crash in dependent.c:515 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752178 - Null pointer crash in dependent.c:515 on a fuzzed xls file


Summary:	Null pointer crash in dependent.c:515 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-09 15:05 UTC by jutaky
Modified:	2015-09-26 00:30 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-09 15:05:01 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-dependent.c.515.xls

$ ssconvert gnumeric_case_001-dependent.c.515.xls /tmp/out.gnumeric

==19726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd80324e3c7 bp 0x7ffc547fae10 sp 0x7ffc547fac00 T0)
    #0 0x7fd80324e3c6 in dependent_queue_recalc_main gnumeric/gnumeric/src/dependent.c:515:20
    #1 0x7fd8031fe6c7 in dependent_queue_recalc_list gnumeric/gnumeric/src/dependent.c:545:2
    #2 0x7fd8031fe070 in dependent_queue_recalc gnumeric/gnumeric/src/dependent.c:560:3
    #3 0x7fd803353252 in gnumeric_table gnumeric/gnumeric/src/func-builtin.c:263:4
    #4 0x7fd8033373fa in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #5 0x7fd80327838f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #6 0x7fd80327a8aa in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1525:7
    #7 0x7fd8032ac876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #8 0x7fd80326033d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #9 0x7fd80325dd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #10 0x7fd80320b791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #11 0x7fd80320b020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #12 0x7fd80327b592 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1553:3
    #13 0x7fd8032ac876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #14 0x7fd80326033d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #15 0x7fd80325dd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #16 0x7fd80320b791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #17 0x7fd80322f84a in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #18 0x7fd803e161fb in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #19 0x7fd803e16b00 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #20 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9
    #21 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #22 0x7fd7fa8f578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #23 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/dependent.c:515 dependent_queue_recalc_main

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-09-16 12:36:33 UTC

Valgrind finds a a lot of invalid read such as:

==22672== Invalid read of size 8
==22672==    at 0x4F8D1D0: value_release (value.c:563)
==22672==    by 0x4EF1772: gnumeric_table (func-builtin.c:243)
==22672==    by 0x4EF07DE: function_call_with_exprs (func.c:1879)
==22672==    by 0x4EE842C: gnm_expr_eval (expr.c:1453)
==22672==    by 0x4EE85B2: gnm_expr_eval (expr.c:1525)
==22672==    by 0x4EE8D45: gnm_expr_top_eval (expr.c:3124)
==22672==    by 0x4EDEC89: gnm_cell_eval_content (dependent.c:1669)
==22672==    by 0x4EDEC89: cell_dep_eval (dependent.c:1254)
==22672==    by 0x4EDFFEC: dependent_eval (dependent.c:1760)
==22672==    by 0x4EE87D7: gnm_expr_eval (expr.c:1553)
==22672==    by 0x4EE8D45: gnm_expr_top_eval (expr.c:3124)
==22672==    by 0x4EDEC89: gnm_cell_eval_content (dependent.c:1669)
==22672==    by 0x4EDEC89: cell_dep_eval (dependent.c:1254)
==22672==    by 0x4EDFFEC: dependent_eval (dependent.c:1760)
==22672==  Address 0x124cb7b8 is 8 bytes inside a block of size 24 free'd
==22672==    at 0x4C29E90: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22672==    by 0x4EF1751: gnumeric_table (func-builtin.c:234)
==22672==    by 0x4EF07DE: function_call_with_exprs (func.c:1879)
==22672==    by 0x4EE842C: gnm_expr_eval (expr.c:1453)
==22672==    by 0x4EE85B2: gnm_expr_eval (expr.c:1525)
==22672==    by 0x4EE8D45: gnm_expr_top_eval (expr.c:3124)
==22672==    by 0x4EDEC89: gnm_cell_eval_content (dependent.c:1669)
==22672==    by 0x4EDEC89: cell_dep_eval (dependent.c:1254)
==22672==    by 0x4EDFFEC: dependent_eval (dependent.c:1760)
==22672==    by 0x4EE87D7: gnm_expr_eval (expr.c:1553)
==22672==    by 0x4EE8D45: gnm_expr_top_eval (expr.c:3124)
==22672==    by 0x4EDEC89: gnm_cell_eval_content (dependent.c:1669)
==22672==    by 0x4EDEC89: cell_dep_eval (dependent.c:1254)
==22672==    by 0x4EDFFEC: dependent_eval (dependent.c:1760)

Comment 2 Morten Welinder 2015-09-26 00:30:24 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.