After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 702288 - Stack buffer overflow on a corrupted (fuzzed) ods file in print_info_load_defaults
Stack buffer overflow on a corrupted (fuzzed) ods file in print_info_load_def...
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-14 20:42 UTC by jutaky
Modified: 2013-06-15 07:23 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-14 20:42:17 UTC 
Stack buffer overflow on a corrupted (fuzzed) ods file in print_info_load_defaults.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_15001_331.ods

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff795e27b in print_info_load_defaults (res=0xe61491b3) at print-info.c:305
305		if (res->page_setup != NULL)
(gdb) bt

+ Trace 232066

  • #0 print_info_load_defaults
    at print-info.c line 305
  • #1 print_info_get_page_setup
    at print-info.c line 1365
  • #2 odf_page_layout_properties
    at openoffice-read.c line 5566
  • #3 push_child
    at gsf-libxml.c line 648
  • #4 lookup_child
    at gsf-libxml.c line 684
  • #5 gsf_xml_in_start_element
    at gsf-libxml.c line 758
  • #6 xmlParseStartTag__internal_alias
    at parser.c line 8612
  • #7 xmlParseElement__internal_alias
    at parser.c line 9975
  • #8 xmlParseContent__internal_alias
    at parser.c line 9885
  • #9 xmlParseElement__internal_alias
    at parser.c line 10058
  • #10 xmlParseContent__internal_alias
    at parser.c line 9885
  • #11 xmlParseElement__internal_alias
    at parser.c line 10058
  • #12 xmlParseContent__internal_alias
    at parser.c line 9885
  • #13 xmlParseElement__internal_alias
    at parser.c line 10058
  • #14 xmlParseDocument__internal_alias
    at parser.c line 10742
  • #15 gsf_xml_in_doc_parse
    at gsf-libxml.c line 1280
  • #16 openoffice_file_open
    at openoffice-read.c line 12012
  • #17 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #18 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #19 go_file_opener_open
    at app/file.c line 417
  • #20 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #21 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #22 main
    at main-application.c line 321 


--
Juha Kylmänen
Research Assistant, OUSPG

ps. I would greatly appreciate if my group and I got credit in the NEWS file as "Juha Kylmänen from OUSPG" for bugs 702101, 702126, 702182, 702197, 702205, 702218, 702219, 702267, 702277, 702285 and this one if this is a valid bug.
Comment 1 Morten Welinder 2013-06-15 01:12:10 UTC 
We'll get you credit somewhere, somehow.  Normally that would be in the
release announcement, but I need that space for an obituary.

Is there a (relevant) link to the group?


==5625== Conditional jump or move depends on uninitialised value(s)
==5625==    at 0x159A1077: odf_page_layout_properties (openoffice-read.c:5564)
==5625==    by 0x6B79938: lookup_child (gsf-libxml.c:684)
==5625==    by 0x6B79D06: gsf_xml_in_start_element (gsf-libxml.c:758)
==5625==    by 0x6DF0447: xmlParseStartTag (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFB747: xmlParseElement (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFA347: xmlParseContent (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFB662: xmlParseElement (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFA347: xmlParseContent (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFB662: xmlParseElement (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFA347: xmlParseContent (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFB662: xmlParseElement (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6DFC631: xmlParseDocument (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.0)
==5625==    by 0x6B7B39A: gsf_xml_in_doc_parse (gsf-libxml.c:1280)
==5625==    by 0x159B2AC5: openoffice_file_open (openoffice-read.c:12016)
==5625==    by 0x53B4BC2: go_plugin_file_opener_open (go-plugin-service.c:685)
==5625==    by 0x4F9260E: workbook_view_new_from_input (workbook-view.c:1272)
==5625==    by 0x4F9285C: workbook_view_new_from_uri (workbook-view.c:1332)
==5625==    by 0x4033FC: main (main-application.c:321)
Comment 2 jutaky 2013-06-15 06:14:49 UTC 
Credit in the release announcement would be nice.

Link: https://www.ee.oulu.fi/research/ouspg/
Comment 3 Andreas J. Guelzow 2013-06-15 07:23:27 UTC 
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.