After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 703215 - Segfault in xlsx_axis_crosses on a corrupted (fuzzed) xlsx file
Segfault in xlsx_axis_crosses on a corrupted (fuzzed) xlsx file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-06-27 19:44 UTC by jutaky
Modified: 2013-06-27 20:30 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-06-27 19:44:47 UTC 
Segfault in xlsx_axis_crosses on a corrupted (fuzzed) xlsx file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_25139_25453.xlsx

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe6b3a501 in xlsx_axis_crosses (xin=0x7fffffffceb0, attrs=0x109fd10) at xlsx-read-drawing.c:602
602			state->axis.info->cross_value = 0.;
(gdb) bt

+ Trace 232156

  • #0 xlsx_axis_crosses
    at xlsx-read-drawing.c line 602
  • #1 push_child
    at gsf-libxml.c line 648
  • #2 lookup_child
    at gsf-libxml.c line 684
  • #3 gsf_xml_in_start_element
    at gsf-libxml.c line 758
  • #4 xmlParseStartTag__internal_alias
    at parser.c line 8612
  • #5 xmlParseElement__internal_alias
    at parser.c line 9975
  • #6 xmlParseContent__internal_alias
    at parser.c line 9885
  • #7 xmlParseElement__internal_alias
    at parser.c line 10058
  • #8 xmlParseContent__internal_alias
    at parser.c line 9885
  • #9 xmlParseElement__internal_alias
    at parser.c line 10058
  • #10 xmlParseContent__internal_alias
    at parser.c line 9885
  • #11 xmlParseElement__internal_alias
    at parser.c line 10058
  • #12 xmlParseContent__internal_alias
    at parser.c line 9885
  • #13 xmlParseElement__internal_alias
    at parser.c line 10058
  • #14 xmlParseDocument__internal_alias
    at parser.c line 10742
  • #15 gsf_xml_in_doc_parse
    at gsf-libxml.c line 1289
  • #16 gsf_open_pkg_parse_rel_by_id
    at gsf-open-pkg-utils.c line 418
  • #17 xlsx_parse_rel_by_id
    at xlsx-read.c line 369
  • #18 xlsx_read_chart
    at xlsx-read-drawing.c line 1989
  • #19 push_child
    at gsf-libxml.c line 648
  • #20 lookup_child
    at gsf-libxml.c line 684
  • #21 gsf_xml_in_start_element
    at gsf-libxml.c line 758
  • #22 xmlParseStartTag__internal_alias
    at parser.c line 8612
  • #23 xmlParseElement__internal_alias
    at parser.c line 9975
  • #24 xmlParseContent__internal_alias
    at parser.c line 9885
  • #25 xmlParseElement__internal_alias
    at parser.c line 10058
  • #26 xmlParseContent__internal_alias
    at parser.c line 9885
  • #27 xmlParseElement__internal_alias
    at parser.c line 10058
  • #28 xmlParseContent__internal_alias
    at parser.c line 9885
  • #29 xmlParseElement__internal_alias
    at parser.c line 10058
  • #30 xmlParseContent__internal_alias
    at parser.c line 9885
  • #31 xmlParseElement__internal_alias
    at parser.c line 10058
  • #32 xmlParseContent__internal_alias
    at parser.c line 9885
  • #33 xmlParseElement__internal_alias
    at parser.c line 10058
  • #34 xmlParseDocument__internal_alias
    at parser.c line 10742
  • #35 gsf_xml_in_doc_parse
    at gsf-libxml.c line 1289
  • #36 gsf_open_pkg_parse_rel_by_id
    at gsf-open-pkg-utils.c line 418
  • #37 xlsx_parse_rel_by_id
    at xlsx-read.c line 369
  • #38 xlsx_sheet_drawing
    at xlsx-read-drawing.c line 2430
  • #39 push_child
    at gsf-libxml.c line 648
  • #40 lookup_child
    at gsf-libxml.c line 684
  • #41 gsf_xml_in_start_element
    at gsf-libxml.c line 758
  • #42 xmlParseStartTag__internal_alias
    at parser.c line 8612
  • #43 xmlParseElement__internal_alias
    at parser.c line 9975
  • #44 xmlParseContent__internal_alias
    at parser.c line 9885
  • #45 xmlParseElement__internal_alias
    at parser.c line 10058
  • #46 xmlParseDocument__internal_alias
    at parser.c line 10742
  • #47 gsf_xml_in_doc_parse
    at gsf-libxml.c line 1289
  • #48 xlsx_parse_stream
    at xlsx-read.c line 344
  • #49 xlsx_wb_end
    at xlsx-read.c line 3752
  • #50 gsf_xml_in_end_element
    at gsf-libxml.c line 844
  • #51 xmlParseEndTag1
    at parser.c line 8683
  • #52 xmlParseElement__internal_alias
    at parser.c line 10086
  • #53 xmlParseDocument__internal_alias
    at parser.c line 10742
  • #54 gsf_xml_in_doc_parse
    at gsf-libxml.c line 1289
  • #55 xlsx_parse_stream
    at xlsx-read.c line 344
  • #56 xlsx_file_open
    at xlsx-read.c line 4809
  • #57 go_plugin_loader_module_func_file_open
    at app/go-plugin-loader-module.c line 282
  • #58 go_plugin_file_opener_open
    at app/go-plugin-service.c line 685
  • #59 go_file_opener_open
    at app/file.c line 417
  • #60 workbook_view_new_from_input
    at workbook-view.c line 1272
  • #61 workbook_view_new_from_uri
    at workbook-view.c line 1332
  • #62 main
    at main-application.c line 321 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-06-27 20:30:51 UTC 
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.