GNOME Bugzilla – Bug 760106
Heap-buffer overread in iconv from ms-excel-read.c:1028 on a fuzzed xls file
Last modified: 2016-01-05 14:52:55 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_010-ms-excel-read.c.1028.xls $ ssconvert gnumeric_case_010-ms-excel-read.c.1028.xls /tmp/out.gnumeric ==28420==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000059e11 at pc 0x000000488176 bp 0x7ffeb70faa70 sp 0x7ffeb70fa220 READ of size 13 at 0x606000059e11 thread T0 #0 0x488175 in iconv (apps/bin/ssconvert+0x488175) #1 0x7fa20a8d01a2 in excel_get_chars gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1028:3 #2 0x7fa20a8d0777 in excel_get_text gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1083:8 #3 0x7fa20a94f44e in excel_parse_formula1 gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1315:10 #4 0x7fa20a94dbc3 in excel_parse_formula gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1910:21 #5 0x7fa20a8fe2df in excel_formula_shared gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2843:10 #6 0x7fa20a8fe2df in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:2970 #7 0x7fa20a8fe2df in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6687 #8 0x7fa20a8e180d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7119:4 #9 0x7fa20a8d8cb2 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7228:4 #10 0x7fa20a8b17a2 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #11 0x7fa229884ed2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #12 0x7fa22988db96 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #13 0x7fa229891cec in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #14 0x7fa22a490d00 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #15 0x7fa22a49107f in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #16 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #17 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19 #18 0x7fa2244f660f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #19 0x41a688 in _start (apps/bin/ssconvert+0x41a688) -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.