GNOME Bugzilla – Bug 490828
Crash when exporting sort.xls to '97/2000/XP & 5.0/95' Excel format
Last modified: 2007-10-27 21:16:27 UTC
Version: r16019 OS: Ubuntu Gutsy The following crash doesn't seem to occur with any of the other Excel export options (e.g. "MS Excel (tm) 97/2000/XP"). Steps to reproduce: - Run Gnumeric - Import gnumeric/samples/excel/sort.xls - File > Save As - Choose the "MS Excel (tm) 97/2000/XP & 5.0/95" file type - Press Save to crash Gnumeric Valgrind output: ==1149== Invalid read of size 1 ==1149== at 0x7FBB445: excel_write_string_len (ms-excel-write.c:250) ==1149== by 0x7FC9E19: cb_write_macro_NAME (ms-excel-write.c:5065) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB4B7: excel_write_workbook (ms-excel-write.c:5394) ==1149== by 0x7FCBDA5: excel_write_v8 (ms-excel-write.c:5526) ==1149== by 0x7FA0970: excel_save (boot.c:256) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== by 0x414B7E0: wbv_save_to_output (workbook-view.c:829) ==1149== Address 0x71B25A8 is 0 bytes inside a block of size 4 free'd ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB200: excel_write_workbook (ms-excel-write.c:5349) ==1149== by 0x7FCBC59: excel_write_v7 (ms-excel-write.c:5506) ==1149== by 0x7FA0958: excel_save (boot.c:254) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== ==1149== Invalid read of size 1 ==1149== at 0x7FBB422: excel_write_string_len (ms-excel-write.c:251) ==1149== by 0x7FC9E19: cb_write_macro_NAME (ms-excel-write.c:5065) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB4B7: excel_write_workbook (ms-excel-write.c:5394) ==1149== by 0x7FCBDA5: excel_write_v8 (ms-excel-write.c:5526) ==1149== by 0x7FA0970: excel_save (boot.c:256) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== by 0x414B7E0: wbv_save_to_output (workbook-view.c:829) ==1149== Address 0x71B25A8 is 0 bytes inside a block of size 4 free'd ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB200: excel_write_workbook (ms-excel-write.c:5349) ==1149== by 0x7FCBC59: excel_write_v7 (ms-excel-write.c:5506) ==1149== by 0x7FA0958: excel_save (boot.c:254) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== ==1149== Invalid read of size 1 ==1149== at 0x7FBB445: excel_write_string_len (ms-excel-write.c:250) ==1149== by 0x7FBB497: excel_write_string (ms-excel-write.c:274) ==1149== by 0x7FC9E8C: cb_write_macro_NAME (ms-excel-write.c:5072) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB4B7: excel_write_workbook (ms-excel-write.c:5394) ==1149== by 0x7FCBDA5: excel_write_v8 (ms-excel-write.c:5526) ==1149== by 0x7FA0970: excel_save (boot.c:256) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== Address 0x71B25A8 is 0 bytes inside a block of size 4 free'd ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB200: excel_write_workbook (ms-excel-write.c:5349) ==1149== by 0x7FCBC59: excel_write_v7 (ms-excel-write.c:5506) ==1149== by 0x7FA0958: excel_save (boot.c:254) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== ==1149== Invalid read of size 1 ==1149== at 0x7FBB422: excel_write_string_len (ms-excel-write.c:251) ==1149== by 0x7FBB497: excel_write_string (ms-excel-write.c:274) ==1149== by 0x7FC9E8C: cb_write_macro_NAME (ms-excel-write.c:5072) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB4B7: excel_write_workbook (ms-excel-write.c:5394) ==1149== by 0x7FCBDA5: excel_write_v8 (ms-excel-write.c:5526) ==1149== by 0x7FA0970: excel_save (boot.c:256) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== Address 0x71B25A8 is 0 bytes inside a block of size 4 free'd ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB200: excel_write_workbook (ms-excel-write.c:5349) ==1149== by 0x7FCBC59: excel_write_v7 (ms-excel-write.c:5506) ==1149== by 0x7FA0958: excel_save (boot.c:254) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== ==1149== Invalid read of size 1 ==1149== at 0x50311D7: gsf_outfile_msole_write (gsf-outfile-msole.c:500) ==1149== by 0x502A34A: gsf_output_write (gsf-output.c:354) ==1149== by 0x7FA27F6: ms_biff_put_var_write (ms-biff.c:669) ==1149== by 0x7FBB7AD: excel_write_string (ms-excel-write.c:353) ==1149== by 0x7FC9E8C: cb_write_macro_NAME (ms-excel-write.c:5072) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB4B7: excel_write_workbook (ms-excel-write.c:5394) ==1149== by 0x7FCBDA5: excel_write_v8 (ms-excel-write.c:5526) ==1149== by 0x7FA0970: excel_save (boot.c:256) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== Address 0x71B25A8 is 0 bytes inside a block of size 4 free'd ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB200: excel_write_workbook (ms-excel-write.c:5349) ==1149== by 0x7FCBC59: excel_write_v7 (ms-excel-write.c:5506) ==1149== by 0x7FA0958: excel_save (boot.c:254) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== ==1149== Invalid free() / delete / delete[] ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB4B7: excel_write_workbook (ms-excel-write.c:5394) ==1149== by 0x7FCBDA5: excel_write_v8 (ms-excel-write.c:5526) ==1149== by 0x7FA0970: excel_save (boot.c:256) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663) ==1149== Address 0x71B25A8 is 0 bytes inside a block of size 4 free'd ==1149== at 0x402237F: free (vg_replace_malloc.c:233) ==1149== by 0x4CD2960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9EA8: cb_write_macro_NAME (ms-excel-write.c:5075) ==1149== by 0x4CBDE95: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1400.1) ==1149== by 0x7FC9F39: excel_write_names (ms-excel-write.c:5087) ==1149== by 0x7FCB200: excel_write_workbook (ms-excel-write.c:5349) ==1149== by 0x7FCBC59: excel_write_v7 (ms-excel-write.c:5506) ==1149== by 0x7FA0958: excel_save (boot.c:254) ==1149== by 0x7FA0B5F: excel_dsf_file_save (boot.c:291) ==1149== by 0x45E34CC: go_plugin_loader_module_func_file_save (go-plugin-loader-module.c:307) ==1149== by 0x45E5587: go_plugin_file_saver_save (go-plugin-service.c:749) ==1149== by 0x45E8491: go_file_saver_save (file.c:663)
Confirmed.
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.
Added new test t8004 for this. This will not happen again.