Bug 752181 – Null pointer crash in value.c:636 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752181 - Null pointer crash in value.c:636 on a fuzzed xls file


Summary:	Null pointer crash in value.c:636 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-09 15:07 UTC by jutaky
Modified:	2015-09-26 00:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-09 15:07:33 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_004-value.c.636.xls

$ ssconvert gnumeric_case_004-value.c.636.xls /tmp/out.gnumeric

==21363==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f85bcf9806d bp 0x7ffdcf808ad0 sp 0x7ffdcf808680 T0)
    #0 0x7f85bcf9806c in value_dup gnumeric/gnumeric/src/value.c:636:10
    #1 0x7f85bcf996ce in value_dup gnumeric/gnumeric/src/value.c:672:25
    #2 0x7f859563f31f in gnumeric_transpose gnumeric/gnumeric/plugins/fn-lookup/functions.c:1804:30
    #3 0x7f85bc54e45b in function_call_with_exprs gnumeric/gnumeric/src/func.c:2101:9
    #4 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #5 0x7f85bc5468e3 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1906:20
    #6 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #7 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #8 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #9 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #10 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #11 0x7f85bc419020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #12 0x7f85bc554d9a in cb_iterate_cellrange gnumeric/gnumeric/src/func.c:2200:2
    #13 0x7f85bcb11e6f in sheet_foreach_cell_in_range gnumeric/gnumeric/src/sheet.c:4002:12
    #14 0x7f85bcfd45ae in workbook_foreach_cell_in_range gnumeric/gnumeric/src/workbook.c:591:9
    #15 0x7f85bc553c63 in function_iterate_do_value gnumeric/gnumeric/src/func.c:2265:9
    #16 0x7f85bc5523c2 in function_iterate_argument_values gnumeric/gnumeric/src/func.c:2372:12
    #17 0x7f85bc297409 in collect_floats gnumeric/gnumeric/src/collect.c:495:11
    #18 0x7f85bc29e3e2 in float_range_function gnumeric/gnumeric/src/collect.c:626:9
    #19 0x7f85979b8278 in gnumeric_max gnumeric/gnumeric/plugins/fn-stat/functions.c:915:9
    #20 0x7f85bc5453fa in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #21 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #22 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #23 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #24 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #25 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #26 0x7f85bc419020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #27 0x7f85bc55f3be in gnumeric_table gnumeric/gnumeric/src/func-builtin.c:221:4
    #28 0x7f85bc5453fa in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #29 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #30 0x7f85bc4888aa in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1525:7
    #31 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #32 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #33 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #34 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #35 0x7f85bc419020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #36 0x7f85bc489592 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1553:3
    #37 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #38 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #39 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #40 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #41 0x7f85bc43d84a in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #42 0x7f85bd0241fb in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #43 0x7f85bd024b00 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #44 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9
    #45 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #46 0x7f85b3b0378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #47 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/value.c:636 value_dup

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-09-26 00:24:50 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.