After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 705005 - Out-of-memory crash on saving a fuzzed gnumeric file
Out-of-memory crash on saving a fuzzed gnumeric file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-07-27 20:45 UTC by jutaky
Modified: 2013-07-28 06:13 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-07-27 20:45:33 UTC 
Out-of-memory crash on saving a fuzzed gnumeric file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_32054_29.gnumeric

The file seems to open more or less okay. But File -> Save crashes.

Backtrace from ssconvert gnumeric_case_32054_29.gnumeric out.gnumeric

(/home/jutaky/fuzzing/apps/bin/ssconvert:21318): GLib-ERROR **: gmem.c:140: failed to allocate 276570351563102592 bytes

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff3b4b071 in g_logv (log_domain=0x7ffff3bd24e1 "GLib", log_level=G_LOG_LEVEL_ERROR, 
    format=0x7ffff3bd24c0 "%s: failed to allocate %lu bytes", args=0x7fffffffe0c8) at gmessages.c:989
989			G_BREAKPOINT ();
(gdb) bt

+ Trace 232306

  • #0 g_logv
    at gmessages.c line 989
  • #1 g_log
    at gmessages.c line 1025
  • #2 g_malloc0
    at gmem.c line 139
  • #3 g_malloc0_n
    at gmem.c line 369
  • #4 go_pixbuf_save
    at utils/go-pixbuf.c line 88
  • #5 go_image_save
    at utils/go-image.c line 757
  • #6 save_image_cb
    at app/go-doc.c line 501
  • #7 g_hash_table_foreach
    at ghash.c line 1526
  • #8 go_doc_write
    at app/go-doc.c line 511
  • #9 gnm_xml_file_save_full
    at xml-sax-write.c line 1459
  • #10 gnm_xml_file_save
    at xml-sax-write.c line 1491
  • #11 go_file_saver_save_real
    at app/file.c line 577
  • #12 go_file_saver_save
    at app/file.c line 848
  • #13 wbv_save_to_output
    at workbook-view.c line 1050
  • #14 wb_view_save_to_uri
    at workbook-view.c line 1087
  • #15 wb_view_save_as
    at workbook-view.c line 1123
  • #16 convert
    at ssconvert.c line 788
  • #17 main
    at ssconvert.c line 855 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Jean Bréfort 2013-07-28 06:13:05 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.

Actually, this could also occur on an attempt to display the fuzzed image.