Bug 702833 – Buffer overflow in go_pattern_create_cairo_pattern on a corrupted (fuzzed) gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 702833 - Buffer overflow in go_pattern_create_cairo_pattern on a corrupted (fuzzed) gnumeric file


Summary:	Buffer overflow in go_pattern_create_cairo_pattern on a corrupted (fuzzed) gn...


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	General
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-06-21 19:51 UTC by jutaky
Modified:	2013-08-14 01:21 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-06-21 19:51:31 UTC

I don't know if this should have belonged to the goffice product or here. But I discovered a buffer overflow (identified by Address Sanitizer) via a fuzzed gnumeric file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Doesn't seem to affect goffice 0.10.2 and gnumeric 1.12.2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_31789_2117.gnumeric


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7551502 in go_pattern_create_cairo_pattern (pattern=0x7fffffffcc30, cr=0x1025830) at utils/go-pattern.c:329
329						color = pattern_data[i] & (1 << j) ? pattern->fore : pattern->back;
(gdb) bt

+ Trace 232125

#0 go_pattern_create_cairo_pattern
at utils/go-pattern.c line 329
#1 gnumeric_background_set
at pattern.c line 86
#2 item_grid_draw_background
at item-grid.c line 380
#3 item_grid_draw_region
at item-grid.c line 708
#4 goc_item_draw_region
at canvas/goc-item.c line 446
#5 goc_group_draw_region
at canvas/goc-group.c line 149
#6 goc_item_draw_region
at canvas/goc-item.c line 446
#7 goc_group_draw_region
at canvas/goc-group.c line 149
#8 goc_item_draw_region
at canvas/goc-item.c line 446
#9 goc_canvas_draw
at canvas/goc-canvas.c line 69
#10 ??
from /usr/lib/libgtk-3.so.0
#11 ??
from /usr/lib/libgtk-3.so.0
#12 g_type_class_meta_marshalv
at gclosure.c line 997
#13 _g_closure_invoke_va
at gclosure.c line 840
#14 g_signal_emit_valist
at gsignal.c line 3234
#15 g_signal_emit
at gsignal.c line 3382
#16 ??
from /usr/lib/libgtk-3.so.0
#17 gtk_widget_send_expose
from /usr/lib/libgtk-3.so.0
#18 gtk_main_do_event
from /usr/lib/libgtk-3.so.0
#19 ??
from /usr/lib/libgdk-3.so.0
#20 ??
from /usr/lib/libgdk-3.so.0
#21 ??
from /usr/lib/libgdk-3.so.0
#22 ??
from /usr/lib/libgdk-3.so.0
#23 ??
from /usr/lib/libgdk-3.so.0
#24 g_cclosure_marshal_VOID__VOIDv
at gmarshal.c line 115
#25 _g_closure_invoke_va
at gclosure.c line 840
#26 g_signal_emit_valist
at gsignal.c line 3234
#27 g_signal_emit_by_name
at gsignal.c line 3422
#28 ??
from /usr/lib/libgdk-3.so.0
#29 ??
from /usr/lib/libgdk-3.so.0
#30 g_timeout_dispatch
at gmain.c line 4443
#31 g_main_dispatch
at gmain.c line 3058
#32 g_main_context_dispatch
at gmain.c line 3634
#33 g_main_context_iterate
at gmain.c line 3705
#34 g_main_loop_run
at gmain.c line 3899
#35 gtk_main
from /usr/lib/libgtk-3.so.0
#36 main
at main-application.c line 383


--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Andreas J. Guelzow 2013-06-22 01:25:48 UTC

I cannot replicate.

Comment 2 Jean Bréfort 2013-06-22 09:21:33 UTC

We have no protection against pattern == 25, which is invalid, the largest valid being 24. This file has some areas using it 25. In that case, we pattern_data points to an invalid area. Note that we only read there, not write. The fix is trivial. Hope it was that, feel free to reopen if not.

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.

Comment 3 Morten Welinder 2013-08-14 01:21:34 UTC

See bug 705946.