Bug 752179 – Out-of-bounds read in parse-util.c:1273 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752179 - Out-of-bounds read in parse-util.c:1273 on a fuzzed xls file


Summary:	Out-of-bounds read in parse-util.c:1273 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-09 15:05 UTC by jutaky
Modified:	2015-10-17 18:52 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-09 15:05:54 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-parse-util.c.1273.xls

$ ssconvert gnumeric_case_002-parse-util.c.1273.xls /tmp/out.gnumeric

==20134==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000022 (pc 0x7fb69650c2eb bp 0x7ffd837847f0 sp 0x7ffd83784380 T0)
    #0 0x7fb69650c2ea in std_expr_name_handler gnumeric/gnumeric/src/parse-util.c:1273:7
    #1 0x7fb695ff079b in do_expr_as_string gnumeric/gnumeric/src/expr.c:1754:3
    #2 0x7fb695ff3c4e in gnm_expr_as_string gnumeric/gnumeric/src/expr.c:1862:2
    #3 0x7fb6960056b8 in gnm_expr_top_as_string gnumeric/gnumeric/src/expr.c:2949:9
    #4 0x7fb69603be0d in expr_name_as_string gnumeric/gnumeric/src/expr-name.c:933:9
    #5 0x7fb696d3f02d in xml_write_name gnumeric/gnumeric/src/xml-sax-write.c:234:13
    #6 0x7fb696d1e26b in xml_write_named_expressions gnumeric/gnumeric/src/xml-sax-write.c:256:3
    #7 0x7fb696d22918 in xml_write_sheet gnumeric/gnumeric/src/xml-sax-write.c:1366:2
    #8 0x7fb696d1f559 in xml_write_sheets gnumeric/gnumeric/src/xml-sax-write.c:1390:3
    #9 0x7fb696d1a114 in gnm_xml_file_save_full gnumeric/gnumeric/src/xml-sax-write.c:1521:2
    #10 0x7fb696d18ed6 in gnm_xml_file_save gnumeric/gnumeric/src/xml-sax-write.c:1555:2
    #11 0x7fb694395c9f in go_file_saver_save_real gnumeric/goffice/goffice/app/file.c:577:2
    #12 0x7fb69438adca in go_file_saver_save gnumeric/goffice/goffice/app/file.c:848:2
    #13 0x7fb696b6f613 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059:2
    #14 0x7fb696b70145 in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093:3
    #15 0x7fb696b71c81 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129:2
    #16 0x4e8c81 in convert gnumeric/gnumeric/src/ssconvert.c:836:9
    #17 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #18 0x7fb68d65578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #19 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/parse-util.c:1273 std_expr_name_handler

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-10-17 18:52:03 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.