Bug 760102 – Null pointer crash in dependent.c:933 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 760102 - Null pointer crash in dependent.c:933 on a fuzzed xls file


Summary:	Null pointer crash in dependent.c:933 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-01-03 21:33 UTC by jutaky
Modified:	2016-01-04 01:23 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2016-01-03 21:33:40 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_006-dependent.c.933.xls

$ ssconvert gnumeric_case_006-dependent.c.933.xls /tmp/out.gnumeric

==26127==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fccea2b6c4e bp 0x7ffd30cb3410 sp 0x7ffd30cb3300 T0)
    #0 0x7fccea2b6c4d in unlink_single_dep gnumeric/gnumeric/src/dependent.c:933:38
    #1 0x7fccea2a54f2 in link_unlink_single_dep gnumeric/gnumeric/src/dependent.c:952:5
    #2 0x7fccea2a54f2 in link_unlink_expr_dep gnumeric/gnumeric/src/dependent.c:1095
    #3 0x7fccea2a0e0f in dependent_unlink gnumeric/gnumeric/src/dependent.c:1560:2
    #4 0x7fccea2a07f6 in dependent_set_expr gnumeric/gnumeric/src/dependent.c:412:3
    #5 0x7fccea2a2c3d in dependent_managed_set_expr gnumeric/gnumeric/src/dependent.c:1329:2
    #6 0x7fccea54112a in gnm_style_cond_set_expr gnumeric/gnumeric/src/style-conditions.c:227:2
    #7 0x7fccea54112a in gnm_style_cond_free gnumeric/gnumeric/src/style-conditions.c:167
    #8 0x7fccea54112a in gnm_style_conditions_delete gnumeric/gnumeric/src/style-conditions.c:859
    #9 0x7fccea5428b7 in gnm_style_conditions_finalize gnumeric/gnumeric/src/style-conditions.c:666:3
    #10 0x7fcce54ea399 in g_object_unref gnumeric/glib/gobject/gobject.c:3183
    #11 0x7fccea38d19d in elem_clear_contents gnumeric/gnumeric/src/mstyle.c:499:4
    #12 0x7fccea38c5e9 in gnm_style_unref gnumeric/gnumeric/src/mstyle.c:732:4
    #13 0x7fccea38e46b in gnm_style_unlink gnumeric/gnumeric/src/mstyle.c:942:3
    #14 0x7fccea4f7142 in cell_tile_dtor gnumeric/gnumeric/src/sheet-style.c:478:4
    #15 0x7fccea4f7063 in cell_tile_dtor gnumeric/gnumeric/src/sheet-style.c:472:4
    #16 0x7fccea4f7063 in cell_tile_dtor gnumeric/gnumeric/src/sheet-style.c:472:4
    #17 0x7fccea4f7063 in cell_tile_dtor gnumeric/gnumeric/src/sheet-style.c:472:4
    #18 0x7fccea4f5eb8 in sheet_style_shutdown gnumeric/gnumeric/src/sheet-style.c:781:2
    #19 0x7fccea4510f5 in gnm_sheet_finalize gnumeric/gnumeric/src/sheet.c:4635:2
    #20 0x7fcce54ea399 in g_object_unref gnumeric/glib/gobject/gobject.c:3183
    #21 0x7fccea561945 in workbook_sheet_delete gnumeric/gnumeric/src/workbook.c:1124:2
    #22 0x7fccea566f22 in workbook_dispose gnumeric/gnumeric/src/workbook.c:177:3
    #23 0x7fcce54ea324 in g_object_unref gnumeric/glib/gobject/gobject.c:3146
    #24 0x4e02a2 in convert gnumeric/gnumeric/src/ssconvert.c:849:3
    #25 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19
    #26 0x7fcce45d560f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #27 0x41a688 in _start (apps/bin/ssconvert+0x41a688)

--
Juha Kylmänen

Comment 1 Morten Welinder 2016-01-04 01:23:00 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.