After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 702101 - Gnumeric segfaults in colrow_foreach on a corrupted (fuzzed) xls file
Gnumeric segfaults in colrow_foreach on a corrupted (fuzzed) xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: General
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-12 14:52 UTC by jutaky
Modified: 2013-06-16 18:48 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-12 14:52:55 UTC 
Gnumeric segfaults in colrow_foreach on a corrupted (fuzzed) xls file.

Versions affected (at least): git 20130612 and 1.12.2

Test case: http://jutaky.com/fuzzing/gnumeric_case_19972_6578.xls

Backtrace: 

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78b5d6f in colrow_foreach (infos=0x850068, first=0, last=43516, callback=0x7ffff79734c0 <cb_check_array_horizontal>, 
    user_data=0x7fffffffe040) at colrow.c:217
217				iter.cri = segment->info[sub];
(gdb) bt

+ Trace 232038

  • #0 colrow_foreach
    at colrow.c line 217
  • #1 sheet_range_splits_array
    at sheet.c line 3436
  • #2 gnm_sheet_merge_add
    at sheet-merge.c line 74
  • #3 excel_read_MERGECELLS
    at ms-excel-read.c line 4861
  • #4 excel_read_sheet
    at ms-excel-read.c line 6684
  • #5 excel_read_BOF
    at ms-excel-read.c line 6981
  • #6 excel_read_workbook
    at ms-excel-read.c line 7071
  • #7 excel_enc_file_open
    at boot.c line 193
  • #8 excel_file_open
    at boot.c line 250
  • #9 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #10 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #11 go_file_opener_open
    at app/file.c line 417
  • #12 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #13 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #14 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Morten Welinder 2013-06-12 19:28:11 UTC 
Yeah, that's bad.
Comment 2 Morten Welinder 2013-06-12 19:37:35 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.
Comment 3 jutaky 2013-06-16 18:48:43 UTC 
This issue has been assigned CVE-id CVE-2013-4605.