Bug 702218 – Gnumeric segfaults on exit in unlink_single_dep on a corrupted (fuzzed) ods file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 702218 - Gnumeric segfaults on exit in unlink_single_dep on a corrupted (fuzzed) ods file


Summary:	Gnumeric segfaults on exit in unlink_single_dep on a corrupted (fuzzed) ods file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	General
Version:	git master
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-06-14 07:16 UTC by jutaky
Modified:	2013-06-14 13:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-06-14 07:16:32 UTC

The file appears to open without issues, but on exit segfault occurs in unlink_single_dep.

Git versions of glib, goffice, libgsf and gnumeric.

Test case: http://jutaky.com/fuzzing/gnumeric_case_15701_118.ods


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78d20e5 in unlink_single_dep (dep=0x8c29c0, pos=0x8c29e8, a=0x89af08) at dependent.c:907
907		single = g_hash_table_lookup (deps->single_hash, &lookup);
(gdb) bt

+ Trace 232054

#0 unlink_single_dep
at dependent.c line 907
#1 link_unlink_single_dep
at dependent.c line 924
#2 link_unlink_expr_dep
at dependent.c line 1061
#3 link_unlink_expr_dep
at dependent.c line 1056
#4 dependent_unlink
at dependent.c line 1529
#5 dependent_set_expr
at dependent.c line 412
#6 gnm_style_unlink_dependents
at mstyle.c line 1935
#7 rstyle_apply
at sheet-style.c line 318
#8 vector_apply_pstyle
at sheet-style.c line 939
#9 cell_tile_apply
at sheet-style.c line 1126
#10 cell_tile_apply
at sheet-style.c line 1166
#11 cell_tile_apply
at sheet-style.c line 1166
#12 cell_tile_apply
at sheet-style.c line 1166
#13 sheet_style_set_range
at sheet-style.c line 1357
#14 sheet_style_shutdown
at sheet-style.c line 763
#15 gnm_sheet_finalize
at sheet.c line 4566
#16 g_object_unref
at gobject.c line 3194
#17 workbook_sheet_delete
at workbook.c line 1096
#18 workbook_dispose
at workbook.c line 154
#19 g_object_unref
at gobject.c line 3157
#20 wbcg_close_if_user_permits
at wbc-gtk.c line 1811
#21 wbc_gtk_close
at wbc-gtk.c line 1858
#22 ??
from /usr/lib/libgtk-3.so.0
#23 _g_closure_invoke_va
at gclosure.c line 840
#24 g_signal_emit_valist
at gsignal.c line 3234
#25 g_signal_emit
at gsignal.c line 3382
#26 ??
from /usr/lib/libgtk-3.so.0
#27 gtk_main_do_event
from /usr/lib/libgtk-3.so.0
#28 ??
from /usr/lib/libgdk-3.so.0
#29 g_main_dispatch
at gmain.c line 3058
#30 g_main_context_dispatch
at gmain.c line 3634
#31 g_main_context_iterate
at gmain.c line 3705
#32 g_main_loop_run
at gmain.c line 3899
#33 gtk_main
from /usr/lib/libgtk-3.so.0
#34 main
at main-application.c line 383



--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Andreas J. Guelzow 2013-06-14 07:47:58 UTC

I cannot replicate this. It opens fine (with a bunch of warnings on the console) and exits without a seg fault. (This is with git versions of goffice, libgsf and gnumeric and glib version 2.30.)

Comment 2 jutaky 2013-06-14 08:04:47 UTC

Here is an alternative test case which I suspects hits the same bug:
http://jutaky.com/fuzzing/gnumeric_case_15422_266.ods

If it makes any difference, I am on Arch linux (64bit).

Segfaults with nearly identical backtrace for me:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78d20f5 in unlink_single_dep (dep=0x915fa0, pos=0x915fc8, a=0x896150) at dependent.c:907
907		single = g_hash_table_lookup (deps->single_hash, &lookup);
(gdb) bt

+ Trace 232056

#0 unlink_single_dep
at dependent.c line 907
#1 link_unlink_single_dep
at dependent.c line 924
#2 link_unlink_expr_dep
at dependent.c line 1061
#3 dependent_unlink
at dependent.c line 1529
#4 dependent_set_expr
at dependent.c line 412
#5 gnm_style_unlink_dependents
at mstyle.c line 1935
#6 rstyle_apply
at sheet-style.c line 318
#7 vector_apply_pstyle
at sheet-style.c line 939
#8 cell_tile_apply
at sheet-style.c line 1126
#9 cell_tile_apply
at sheet-style.c line 1166
#10 cell_tile_apply
at sheet-style.c line 1166
#11 cell_tile_apply
at sheet-style.c line 1166
#12 sheet_style_set_range
at sheet-style.c line 1357
#13 sheet_style_shutdown
at sheet-style.c line 763
#14 gnm_sheet_finalize
at sheet.c line 4566
#15 g_object_unref
at gobject.c line 3194
#16 workbook_sheet_delete
at workbook.c line 1096
#17 workbook_dispose
at workbook.c line 154
#18 g_object_unref
at gobject.c line 3157
#19 wbcg_close_if_user_permits
at wbc-gtk.c line 1811
#20 wbc_gtk_close
at wbc-gtk.c line 1858
#21 ??
from /usr/lib/libgtk-3.so.0
#22 _g_closure_invoke_va
at gclosure.c line 840
#23 g_signal_emit_valist
at gsignal.c line 3234
#24 g_signal_emit
at gsignal.c line 3382
#25 ??
from /usr/lib/libgtk-3.so.0
#26 gtk_main_do_event
from /usr/lib/libgtk-3.so.0
#27 ??
from /usr/lib/libgdk-3.so.0
#28 g_main_dispatch
at gmain.c line 3058
#29 g_main_context_dispatch
at gmain.c line 3634
#30 g_main_context_iterate
at gmain.c line 3705
#31 g_main_loop_run
at gmain.c line 3899
#32 gtk_main
from /usr/lib/libgtk-3.so.0
#33 main
at main-application.c line 383

Comment 3 Morten Welinder 2013-06-14 13:02:14 UTC

==31745== Invalid read of size 8
==31745==    at 0x4EE5D2E: unlink_single_dep (dependent.c:897)
==31745==    by 0x4EE6A4B: link_unlink_expr_dep (dependent.c:924)
==31745==    by 0x4EE6C0E: link_unlink_expr_dep (dependent.c:1056)
==31745==    by 0x4EE739F: dependent_unlink (dependent.c:1529)
==31745==    by 0x4EE7814: dependent_set_expr (dependent.c:412)
==31745==    by 0x4F2E5D9: gnm_style_unlink_dependents (mstyle.c:1935)
==31745==    by 0x4F7D859: rstyle_apply (sheet-style.c:318)
==31745==    by 0x4F7DD8B: cell_tile_apply (sheet-style.c:939)
==31745==    by 0x4F7DAD5: cell_tile_apply (sheet-style.c:1166)
==31745==    by 0x4F7DAD5: cell_tile_apply (sheet-style.c:1166)
==31745==    by 0x4F7DAD5: cell_tile_apply (sheet-style.c:1166)
==31745==    by 0x4F7E707: sheet_style_set_range (sheet-style.c:1357)
==31745==    by 0x4F7E9EB: sheet_style_shutdown (sheet-style.c:763)
==31745==    by 0x4F4CC3C: gnm_sheet_finalize (sheet.c:4566)
==31745==    by 0x8768657: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x4F9329D: workbook_sheet_delete (workbook.c:1096)
==31745==    by 0x4F943CF: workbook_dispose (workbook.c:154)
==31745==    by 0x87685C3: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x4FF8E8B: dialog_quit (dialog-quit.c:443)
==31745==    by 0x87636FF: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877476F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C6DB: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C871: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x6DD0D82: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6DD1408: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x87636FF: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877476F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C2FA: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C871: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x6DCB5E4: gtk_accel_group_activate (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6DCCD7C: gtk_accel_groups_activate (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6FFAB47: gtk_window_activate_key (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6FFABD8: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6EB5FD8: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x87636FF: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x87744EF: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C2FA: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C871: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x6FDE37D: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6EB41B4: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==  Address 0x131bbf00 is 400 bytes inside a block of size 488 free'd
==31745==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31745==    by 0x8783944: g_type_free_instance (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x4F9329D: workbook_sheet_delete (workbook.c:1096)
==31745==    by 0x4F943CF: workbook_dispose (workbook.c:154)
==31745==    by 0x87685C3: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x4FF8E8B: dialog_quit (dialog-quit.c:443)
==31745==    by 0x87636FF: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877476F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C6DB: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C871: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x6DD0D82: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6DD1408: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x87636FF: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877476F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C2FA: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C871: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x6DCB5E4: gtk_accel_group_activate (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6DCCD7C: gtk_accel_groups_activate (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6FFAB47: gtk_window_activate_key (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6FFABD8: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6EB5FD8: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x87636FF: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x87744EF: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C2FA: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x877C871: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3200.4)
==31745==    by 0x6FDE37D: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6EB41B4: ??? (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x6EB5CB2: gtk_main_do_event (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x7407621: ??? (in /usr/lib64/libgdk-3.so.0.400.4)
==31745==    by 0x89EB3B4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3200.4)
==31745==    by 0x89EB6E7: ??? (in /usr/lib64/libglib-2.0.so.0.3200.4)
==31745==    by 0x89EBAE1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3200.4)
==31745==    by 0x6EB5074: gtk_main (in /usr/lib64/libgtk-3.so.0.400.4)
==31745==    by 0x403B2D: main (main-application.c:383)

Comment 4 Morten Welinder 2013-06-14 13:24:26 UTC

This actually was a dependency tracking problem related to conditional
styling.


This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.