GNOME Bugzilla – Bug 761305
Database functions should reject array databases
Last modified: 2016-01-30 17:30:54 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_003-value.c.1693.gnumeric $ valgrind ssconvert gnumeric_case_003-value.c.1693.gnumeric /tmp/out.gnumeric ==7945== Invalid read of size 4 ==7945== at 0x50A5106: find_column_of_field (value.c:1693) ==7945== by 0x19D17FBE: database_float_range_function (functions.c:220) ==7945== by 0x19D1788A: gnumeric_dcounta (functions.c:415) ==7945== by 0x4F3EE0E: function_call_with_exprs (func.c:2101) ==7945== by 0x4F213D6: gnm_expr_eval (expr.c:1453) ==7945== by 0x4F29108: gnm_expr_top_eval (expr.c:3124) ==7945== by 0x4F1ABF9: gnm_cell_eval_content (dependent.c:1663) ==7945== by 0x4F1ABF9: cell_dep_eval (dependent.c:1250) ==7945== by 0x4F1893A: dependent_eval (dependent.c:1753) ==7945== by 0x4F1893A: workbook_recalc (dependent.c:2867) ==7945== by 0x50B7A1A: workbook_view_new_from_input (workbook-view.c:1294) ==7945== by 0x50B7BCB: workbook_view_new_from_uri (workbook-view.c:1337) ==7945== by 0x40498E: convert (ssconvert.c:715) ==7945== by 0x4041C1: main (ssconvert.c:918) ==7945== Address 0x1943e730 is 16 bytes after a block of size 32 alloc'd ==7945== at 0x4C28C10: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7945== by 0x9B9B178: g_malloc (gmem.c:94) ==7945== by 0x9BB1B42: g_slice_alloc (gslice.c:1025) ==7945== by 0x50A0496: value_new_array_non_init (value.c:423) ==7945== by 0x50A0496: value_new_array_empty (value.c:450) ==7945== by 0x4F21C39: gnm_expr_eval (expr.c:1384) ==7945== by 0x4F3E289: function_call_with_exprs (func.c:1906) ==7945== by 0x4F213D6: gnm_expr_eval (expr.c:1453) ==7945== by 0x4F29108: gnm_expr_top_eval (expr.c:3124) ==7945== by 0x4F1ABF9: gnm_cell_eval_content (dependent.c:1663) ==7945== by 0x4F1ABF9: cell_dep_eval (dependent.c:1250) ==7945== by 0x4F1893A: dependent_eval (dependent.c:1753) ==7945== by 0x4F1893A: workbook_recalc (dependent.c:2867) ==7945== by 0x50B7A1A: workbook_view_new_from_input (workbook-view.c:1294) ==7945== by 0x50B7BCB: workbook_view_new_from_uri (workbook-view.c:1337) -- Juha Kylmänen
Some code doesn't handle array as databases. We now reject instead of poking into the wrong memory. This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.